Meltdown and Spectre - vulnerabilities to watch (and fix)

News by SC Staff

Almost all iPhones and Macs are at risk from Spectre chip security flaw according to industry reports.

Almost all iPhones and Macs are at risk from Spectre chip security flaw according to industry reports.

CPU data cache timing can be exploited to efficiently leak information out of mis-speculated execution, according to Jann Horn of Google's Project Zero. In a blog entitled, “Reading privileged memory with a side-channel,” he says that at worst this could lead to arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.

This security issue could allow cyber-criminals to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in cloud computer networks. The current Meltdown patch could slow down processing by as much as 30 percent under certain workloads and Spectre could require many companies to redesign their processors, meaning there will be significant challenges for the semiconductor industry.

Joseph Carson, chief security scientist at Thycotic emailed SC Media UK to note how the problem follows shortly after a major issue with Apple being knowingly degrading performance on older devices supposedly due to battery issues. Now those devices will be affected with further degrading performance with this CPU security fix allegedly having up to a 30 percent impact on performance. Carson adds, “This begs the question, will older Apple devices even function?  This will be a big issue for Apple who knowingly abandon customers who use older devices forcing them to upgrade to the latest models, will Apple step up and honour fixing all devices affected by this major CPU security flaw?”


According to Rambus technology advisor Paul Kocher, and senior Rambus security engineer Mike Hamburg, were part of the team of security experts who first disclosed the Meltdown and Spectre security flaws, the Spectre threat is going to negatively affect the industry for decades to come.  Kocher told the NYT,  “Whereas Meltdown is an urgent crisis, Spectre affects virtually all fast microprocessors. We've really screwed up. There's been this desire from the industry to be as fast as possible and secure at the same time. Spectre shows that you cannot have both.”

Hamburg concurs saying, “Despite affecting system performance in certain cases, Meltdown is a vulnerability that should be patched immediately. However, beyond short-term solutions such as patching, the semiconductor industry should seriously consider designing chips that run sensitive cryptographic functions in a physically separate secure core, siloed away from the CPU. This design approach will go a long way in helping to prevent vulnerabilities that can be exploited by Meltdown and Spectre.”


The US Department of Homeland Security (DHS) recently recommended the use of hardware in devices that incorporate security features to strengthen the protection and integrity of the product, using computer chips that integrate security at the transistor level, embedded in the processor, to provide encryption and anonymity. It also recommends designing silicon with system and operational disruption in mind, to allow devices to fail safely and securely.


Kocher and Hamburg say that from their perspective, securing processors should start at the core, adding that adopting a hardware-based approach at the most basic core level cannot be overemphasised.

Frederik Mennes, senior manager market & security strategy, at VASCO's Security Competence Centre, reiterates the advice that users should patch the firmware and software of their devices as soon as possible, and should also be extra cautious when downloading software from unknown or suspicious sources.”


Allan Liska, solutions architect at Recorded Future explains how the two vulnerabilities, potentially dating back to as far as 1995 associated with three associated CVEs: CVE-2017-5753 (Spectre Variant 1), CVE-2017-5715 (Spectre Variant 2), and CVE-2017-5754 (Meltdown). Vendors have started releasing patches for these vulnerabilities and security researchers have released POC exploit code.  

Recorded Future notes how Spectre was successfully tested by researchers on Intel, ARM, and AMD processors and while the result of an attack exploiting the Spectre vulnerability is fundamentally the same as Meltdown, the attack surface is slightly different.  “Rather than pulling information readily available in the kernel space, a Spectre attack involves tricking applications on the victim's system into speculative execution that would not normally be performed, giving an attacker access to information that would not normally be exposed.”


Successfully exploiting this vulnerability would allow an attacker to read small arbitrary chunks of privileged kernel memory, bypassing Kernel Address Space Layout Randomisation (KASLR), a key mitigation against kernel exploits in modern operating systems.


Liska adds that “While there have been several potentially disturbing proof-of-concept exploit code examples released, to our knowledge, this has not been exploited in the wild. Reliably exploiting these vulnerabilities in the wild may prove challenging for all but the most advanced attackers.”


One major concern with attacks taking advantage of both of these vulnerabilities is that there is currently no way to detect these attacks using traditional security methods says Liska who continues, “Unlike many attacks, exploits of these vulnerabilities will not leave traces in log files or unusual files on the system for analysts to examine. An attacker could exploit these vulnerabilities without leaving a trace in traditional security tools.”


He too advises that the best way to mitigate against these attacks is to apply vendor patches as quickly as possible, noting that  Apple released a patch for High Sierra (10.13.2) in December that fixes these vulnerabilities, and Microsoft has issued an out-of-band security patch for Windows systems as well. The maintainers of the Linux kernel expect to have their patch ready for release today, Friday, January 5. However he adds a note of caution, saying that the new patch for Windows system reportedly can conflict with anti-virus systems and may result in a “Blue Screen of Death.”


(Extracted from Recorded Future advisory)

Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5715 and CVE-2017-5753) were discovered and reported using responsible disclosure methods in July 2017. Vendors had been working on patches and were scheduled to release them ahead of a January 9 embargo date, but security researchers discovered the changes in early releases of the patched operating systems and began speculating about the vulnerability, forcing the researchers to release information prior to the original embargo date.


Meltdown and Spectre are both hardware vulnerabilities. The researchers behind both vulnerabilities have created a web page that explains both attacks in detail and provides background on the research they did to find the attacks.


Meltdown is specific to Intel processors and takes advantage of speculative execution and indirect branch prediction that Intel has enabled in its chipset. Intel states that other chip manufacturers may be susceptible to this vulnerability as well, but the researchers who uncovered the flaw were not able to replicate it on other chipsets.


Speculative execution and indirect branch prediction allow programs to run faster on a system by “speculatively” finding available memory to execute the next fork in the program. During this speculative action, processes are not adequately segmented from each other. In other words, anyone who can gain access to the kernel can use specific code to see all of the other processes.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews