Soft Solutions Limited - Cybersecurity Threat Advisory - 012218
On January 5, 2018, SSL shared an advisory on the Meltdown and Spectre vulnerabilities. As the leading McAfee partner in West Africa, SSL considers it important to share McAfee Inc’s perspectives on the vulnerabilities to ensure your enterprise gets full benefits of professional security insights pulled from the McAfee Advanced Threat Research (ATR) Team.
The McAfee ATR Team has closely followed the attack techniques that have been named Meltdown and Spectre. In this post, McAfee ATR offers a simple and concise overview of these issues, to separate fact from fiction, and to provide insight into McAfee’s capabilities and approach to detection and prevention. For more on McAfee product compatibility, see this business Knowledge Center article
The Techniques
Meltdown and Spectre are new techniques that build upon previous work, such as “KASLR” and other papers that discuss practical side-channel attacks. The current disclosures build upon such side-channel attacks through the innovative use of speculative execution.
Speculative execution has been a feature of processors for at least a decade. Branch speculation is built on the Tomasulo algorithm. In essence, when a branch in execution depends upon a runtime condition, modern processors make a “guess” to potentially save time. This speculatively executed branch proceeds by employing a guess of the value of the condition upon which the branch must depend. That guess is typically based upon the last step of the same branch’s previous execution. The conditional value is cached for reuse in case that particular branch is taken again. There is no loss of computing time if the condition arrives at a new value because the processor must in any event wait for the value’s computation. Invalid speculative executions are thrown away. The fact that invalid speculations are tossed is a key attribute exploited by Meltdown and Spectre.
Despite the clearing of invalid speculative execution results without affecting memory or CPU registers, data from the execution may be retained in the processor caches. The retaining of invalid execution data is one of the properties of modern CPUs upon which Meltdown and Spectre depend. More information about the techniques is available on the site here.
Because these techniques can be applied (with variation) to most modern operating systems (Windows, Linux, Android, iOS, MacOS, FreeBSD, etc.), you may ask, “How dangerous are these?” “What steps should an organization take?” and “How about individuals?” The following risk analysis is based upon what McAfee currently understands about Meltdown and Spectre.
McAfee researchers quickly compiled the public exploit code for Spectre and confirmed its efficacy across a number of operating systems, including Windows, Linux, and MacOS.
Question: Am I affected by the vulnerability?
Answer: Answer: Most certainly, yes.
Weaponization
To assess the potential impact of any vulnerability or attack technique, we must first consider its value to attackers. These exploits are uniquely attractive to malicious groups or persons because the attack surface is nearly unprecedented, the attack vector is relatively new, and the impacts (privilege escalation and leaks of highly sensitive memory) are detrimental. The only naturally mitigating factor is that these exploits require local code execution. A number of third parties have already identified JavaScript as an applicable delivery point, meaning both attacks could theoretically be run from inside a browser, effectively opening an avenue of remote delivery. As always, JavaScript is a double-edged sword, offering a more user-friendly browsing experience, but also offering attackers an increased attack surface in the context of the browser’s executing scripted code.
Any technique that allows an attacker to cross virtual machine boundaries is of particular interest, because such a technique might allow an adversary to use a cloud virtual machine instance to attack other tenants of the cloud. Spectre is designed to foster attacks across application boundaries and hence applies directly to this problem. Thus, major cloud vendors have rushed to issue patches and software updates in advance of the public disclosure of these issues.
Additionally, both Meltdown and Spectre are exceptionally hard to detect as they do not leave forensic traces or halt program execution. This makes post-infection investigations and attack attribution much more complex.
Recommendations
Starting with the January 10th DAT (3221.0) updates for Endpoint Security (ENS) 10.0.2 and later, the registry key will be automatically updated for customers who receive their DAT updates.
Manual Methods to Deploy the Registry Key Update
To receive patches via Windows Update, customers are advised to create the following new registry key:
RegKey ="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat"
Value Name ="cadca5fe-87d3-4b96-b7fb-a231484277cc"
Type ="REG_DWORD"
Data ="0x00000000"
In environments with Active Directory, this key can be deployed via GPO. Instructions on how to deploy via GPO are available at: Configure a Registry Item
Because McAfee believes that Meltdown and Spectre may offer real-world adversaries significant value, we must consider how they can be used. There is no remote vector to these techniques; an attacker must first deliver code to the victim. To protect against malicious JavaScript, we always urge caution when browsing the Internet. Allow scripting languages to execute only from trusted sites. McAfee Windows Security Suite or McAfee Endpoint Security (ENS) can provide warnings if you visit a known dangerous site. These McAfee products can also provide an alternate script-execution engine that prevents known malicious scripts from executing. As operating systems are changed to mitigate Meltdown and Spectre, organizations and individuals should apply those updates as soon as possible.
Even though we have not seen any malware currently
exploiting these techniques, McAfee is currently
evaluating opportunities to provide detection within the
scope of our products; we expect most solutions to lie
within processor and operating system updates.
Based on published proofs of concept, we have provided some limited detection under the names OSX/Spectre, Linux/Spectre, and Trojan-Spectre.
Microsoft has released an out-of-cycle patch because of this disclosure: Click here.
Due to the nature of any patch or update, we suggest first applying manual updates on noncritical systems, to ensure compatibility with software that involves the potential use of low-level operating system features. McAfee teams are working to ensure compatibility with released patches where applicable.
Questions & Answers
- Am I affected by the vulnerability?
Answer: Most certainly, yes. - Can I detect if someone has exploited Meltdown or Spectre against me?
Answer: Probably not. The exploitation does not leave any traces in traditional log files. - Can my antivirus detect or block this attack?
Answer: While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known. - What can be leaked?
Answer: If your system is affected, our proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system. - Has Meltdown or Spectre been abused in the wild?
Answer: We don't know. - Is there a workaround/fix?
Answer: There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre ( LLVM patch, MSVC, ARM speculation barrier header). - Which systems are affected by Meltdown?
Answer: Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM, some of their processors are also affected. - Which systems are affected by Spectre?
Answer: Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors. - Which cloud providers are affected by Meltdown?
Answer: Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected. - What is the difference between Meltdown and Spectre?
Answer: Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre). - Why is it called Meltdown?
Answer: The vulnerability basically melts security boundaries which are normally enforced by the hardware. - Why is it called Spectre?
Answer: The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.
- Is there more technical information about Meltdown and Spectre?
Answer: Yes, there is an academic paper and a blog post about Meltdown, and an academic paper about Spectre. Furthermore, there is a Google Project Zero blog entry about both attacks.
- What are CVE-2017-5753 and CVE-2017-5715?
Answer: CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
- What is the CVE-2017-5754?
Answer: CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.