LogRhythm Labs

Security Advisory: Meltdown and Spectre Vulnerabilities

Between January 3 and 4, 2018, three vulnerabilities in processor hardware were made public that affect nearly all modern architectures. Impacted architectures include Intel, AMD, and ARM. If successfully exploited, an unprivileged process on an affected system could read privileged memory inside other processes or, in some cases, outside guest containers or virtualization hypervisors.

While no malicious attacks have been found, there is evidence that Proof of Concept (PoC) code is available and has been released that can successfully exploit these vulnerabilities to list kernel memory from JavaScript. Therefore, these attacks can be exploited via content delivered to a web browser. Successful attacks are likely to also be found against other scripting languages and engines.

Most major operating system vendors have released patches mitigating the issues from the operating system level—hardware developers are likely to release firmware updates as well. These patches could have a detrimental impact on system performance and should therefore be monitored after implementation.

Key Points:

  • Three CVEs disclosed by reputable sources for hardware-level vulnerabilities
  • Microsoft has released patches for a number of OSs (see list below)
  • RedHat has issued patches for RHEL and CentOS
  • Apple has possibly released patches for Sierra and High Sierra, however, at the time of writing they have not confirmed
  • No known in-the-wild attacks
  • PoC code has been developed by multiple parties for local exploit, not remote
  • Early public information suggested a possible performance hit between 5–30 percent (depending on workload)
  • Patches should be applied and tested as they become available

Analysis:

Security analysts have discovered three variants of exploit that likely affect all modern processor architectures. Variants One and Two are applicable to both Intel and AMD architectures. Variant Three is possibly only applicable to Intel. Variants One and Two have been termed Spectr, while Variant Three has been named Meltdown. Unless otherwise noted, the rest of this report will refer to all three variants collectively as “The Vulnerabilities.”

The specific vulnerabilities exist in how speculative execution affects processor-level caches. All three attacks are timing attacks allowing unprivileged processes to read memory to which they should not otherwise have access. These attacks likely only result in a few bytes of data to be read at a time. For instance, Google Project Zero found that kernel virtual memory could only be read via Spectre at a rate of 2,000 bytes per second after an initial startup of four seconds. However, it is possible that additional attacks could be discovered to increase this rate.

Operating System Vendors:

Microsoft

At the time of writing, most major OS vendors have begun releasing patches to mitigate the effects of the hardware-level vulnerabilities. Microsoft has released the following patches for supported operating systems.

Operating System Version Update KB
Windows Server, version 1709 (Server Core
Installation)
4056892
Windows Server 2016 4056890
Windows Server 2012 R2 4056898
Windows Server 2012 Not available
Windows Server 2008 R2 4056897
Windows Server 2008 Not available
Windows 10 (RTM, 1511, 1607, 1703, 1709), Windows 8.1,
Windows 7 SP1
ADV180002,(Multiple KBs)

Microsoft has noted that anti-virus products could be incompatible with these patches and therefore systems will only be capable of patching once installed anti-virus software has been certified by the anti-virus software vendor. At the time of writing, public sources suggest supported anti-virus products include (but are not limited to): Microsoft’s Defender, Kaspersky, ESET, AVAST, Symantec, and F-Secure. Webroot and CrowdStrike are partially supported. This information will likely change rapidly throughout the day, so software vendors should be contacted directly to confirm support.

Further information for detection and mitigation for Microsoft server operating systems is available here, while client information can be found here.

RHEL/CentOS (RedHat)

RedHat has released updates for its supported RedHat Enterprise Linux (RHEL) versions and CentOS patches can be obtained via Yum.

Mac OS X (Apple):

While Apple has not specifically confirmed its desktop and server OSs have been updated, there is evidence that updates are available for supported versions of Sierra and High Sierra.

Cloud Providers:

Amazon Web Services:

As of the time of this writing Amazon had released a statement announcing that all but a few of their infrastructure systems had been patched and that AMIs would be provided to upgrade Microsoft systems. Other nodes would need to consult with applicable software vendors to protect the virtual nodes themselves.

Microsoft Azure:

Similar to Amazon, Microsoft claimed their infrastructure had been patched and that remaining systems would be patched soon.

Processor Manufacturers:

Intel:

Intel has released a list of all their affected products. Multiple media outlets are also reporting that Intel has claimed it will release security updates for most chips released within the past five years. Products containing Intel hardware but manufactured by other vendors should check for updates from the respective hardware manufacturer.

Impact:

The immediate impact of these three vulnerabilities is that all affected systems should be patched both at the OS-level and at the firmware level as patches become available. Early reports suggest that performance could be affected anywhere between 5–30 percent (depending on workload). Given OS-level mitigation requires additional code within a critical user-to-kernel code path, these numbers could be valid; however, testing will need to be conducted to verify individual workload effects.

Conclusion:

Unless there is a critical performance concern, given the prevalence of these vulnerabilities and the potential severity of exploit, affected software and hardware should be patched as soon as possible. Performance should be monitored to ensure any performance impact does not push resources beyond their limits.