Back to qualys.com

Meltdown and Spectre Aren’t Business as Usual

The new year brought a new vulnerability type — the CPU-based Meltdown and Spectre bugs — that’s forcing vendors and IT departments to modify long-standing ways of identifying threats, prioritizing remediation, managing patches and evaluating risk.

“Meltdown and Spectre are different vulnerabilities from what you’re used to seeing,” Jimmy Graham, a Product Management Director at Qualys, said during a webcast on Wednesday.

As a result, it’s essential for organizations to fully understand the nature of these vulnerabilities, stay on top of the latest information, and analyze the vulnerabilities’ impact in their IT environments, in order to stay as safe as possible.

“It’s not a simple [process] of just install a patch and you’re done,” he said.

A different animal

Graham outlined a number of elements that set Meltdown and Spectre apart, starting with the fundamental issue: They’re hardware flaws. Consequently, the patches and updates being released mitigate the danger, but don’t fully erase the attack surface. That could only be done by physically replacing the affected CPUs.

Also unique is the massive scope of impacted IT assets. Most Intel CPUs released in the past 20 years are affected. Compounding matters is that real operational risks exist when patching these vulnerabilities in certain systems, including degraded performance and complete malfunction.

And of course, the risks are colossal.

Meltdown and Spectre Aren’t Business as UsualMeltdown (CVE-2017-5754) impacts primarily Intel CPUs, although it’s also present in some ARM CPUs. By providing access to all physical memory, including kernel memory, via a user mode, ring 3 process, “any process running in the system can access all the contents of physical memory.”

Attackers could steal passwords, grab private keys and do whatever necessary to escalate their system privileges to administrator levels. “Anything that can be stored in memory can be accessed through Meltdown,” Graham said.

Since hackers need to gain a foothold in systems before they can exploit Meltdown, it’s likely it will be part of “chained attacks,” which involve exploiting two or more vulnerabilities in sequence.

Meltdown and Spectre Aren’t Business as UsualMeanwhile, Spectre (CVE-2017-5753, CVE-2017-5715) impacts Intel, AMD, and ARM CPUs by abusing branch prediction and speculative execution, resulting in data leakage from compromised processes.

“An attacker process on a system can access the memory contents of other process, and can include kernel memory in some circumstances,” Graham said.

The most likely exploit scenario in the short term for Spectre is a JavaScript type of attack, where JavaScript escapes its sandbox, and accesses forbidden memory from the browser process, allowing attackers to access to cookies and session keys

Graham noted that successfully exploiting Spectre is “very difficult” because attackers must have detailed knowledge of the victim process, meaning they’d have to know specifically which process they’re going to target.

On the bright side, it’s important to note that, unlike with some recent vulnerabilities like WannaCry and EternalBlue, there have been no reported attacks — yet.

What can be done?

Meltdown can be extensively mitigated using KPTI (Kernel Page Table Isolation) via the OS patches provided by Microsoft, Apple and Linux OS vendors.

“They’re basically moving the kernel into its own segregated memory space. It’s no longer mapped into user space,” Graham said.

Although this still leaves a small window of attack possibilities, it defuses all known attacks.

For Spectre, patches are available via software updates for OSes and apps, and via processor microcode. Right now, the priority should be closing the JavaScript attack vector by patching browsers.

“Even if you don’t have the microcode updates to more completely mitigate Spectre, the browser vendors have made some changes that make it more difficult to exploit Spectre by removing things that a JavaScript attack would need, such as very precise timers,” Graham said.

It hasn’t all been smooth sailing with the patches

There are a number of issues that organizations must keep in mind before and after patching Meltdown and Spectre.

For Meltdown, a big caveat is that the patches can seriously affect the performance of certain types of workloads, or make the systems unstable. In addition, certain steps need to be taken in some scenarios. For example, Windows systems must get an anti-virus software update and a registry key modified.

In the case of Spectre, Linux microcode updates can be installed via standard Linux repositories from the major Linux OS vendors, but that’s not the case with Microsoft systems. For the latter, users can’t update the microcode through OS updates at this point. Instead, the firmware microcodes have to be obtained via a BIOS update from the system hardware manufacturers. Then software in the system must be recompiled to utilize the protections in the new microcode.

Tips and best practices

Graham offered the following recommendations for managing the Spectre and Meltdown mitigation process.

  • Detect vulnerable assets using Qualys Vulnerability Management authenticated scans or with Qualys Cloud Agents. It’s crucial to have a clear idea of how many impacted systems are in your environment, which vulnerabilities you have, and which patches have been applied. 
  • Prioritize patching efforts based on asset risk and exposure. If you can’t install the microcode patches because they’re problematic or non-existent at this point, focus on the OS and browser patches. 

    “For workstation type devices, I’d focus on patching the underlying OS, because performance concerns are not as great, compared to servers, and patch the browsers as well to start enabling some of these mitigations,” Graham said.

  • Test and test again. “Everything needs to be tested. These patches are not simple software patches that we’ve seen previously. These are fundamental changes to how the kernel is treated in Linux and in Windows,” he said. 

    Tests should go beyond simply verifying that updates and patches they’ve been successfully installed. You must test workloads on servers. “You don’t want to be blindly installing these patches on very critical database systems without testing them with some kind of load,” Graham said.

  • Make sure third-party antivirus software is up to date. 
  • Install browser patches for workstation type-devices. 
  • Patch virtual systems such as Xen and VMWare. 
  • Patch Windows workstations and servers with the most recent January patches. 
  • Install microcode packages for Linux  and BIOS updates for Windows

How Qualys can help

Qualys is continuously updating vulnerability detections, so it now has more than 75 QIDs to determine the patch state for Spectre and Meltdown. Qualys provides both agentless scanning and agent-based detections, so you can use the most appropriate method for any given IT asset.

In addition, Qualys recently rolled out a pre-built Spectre/Meltdown Dashboard to give you visibility into the remediation progress. It can be downloaded from the Qualys Community site.

You can also find detailed and illustrated instructions on how to create Qualys Search Lists, Scan Option Profiles, Remediation Tracking and Patch Reports for Spectre and Meltdown in this article just published to our community site by Debra M. Fezza Reed, Qualys’ Product Manager for Reporting.

Lots more in the webcast recording

We invite you get many more details by watching a recording of Graham’s webcast, in particular his demo of the new Spectre/Meltdown dashboard, and his answers to questions from the audience.

Leave a Reply