Meltdown and Spectre: Prospects for Impact and Steps to Protect Yourself

The recent disclosure of critical CPU vulnerabilities, Meltdown and Spectre, have rocked the information security industry due to the catastrophic consequences they have for data protection. Meltdown and Spectre exploit critical vulnerabilities present in almost all modern processors, creating the potential for leaks in sensitive data as it is processed on a computer or server. A malicious program exploiting these vulnerabilities would be able to access data stored in the memory of other running programs, such as passwords stored in a password manager or browser, personal emails or photographs, and other sensitive data. The vulnerabilities extend to personal computers, mobile devices, and the cloud, where it may be possible to steal data from other cloud customers—essentially anything using an Intel, AMD, or ARM processor.

Figure 1—Official Logo of Meltdown; https://meltdownattack.com/

Meltdown (CVE-2017-5754) exploits vulnerabilities with out-of-order execution on modern processors to read arbitrary kernel-memory locations, thereby breaking the fundamental isolation between user applications and the operating system. With this exploit, any process can read any kernel memory, regardless of its permissions. This means a program can access the memory of other programs, thus rendering vulnerable all sensitive data that resides on any exposed processor with an unpatched OS. An adversary that exploits Meltdown could use it to read the memory of other processes or virtual machines in the cloud without any permissions or privileges.

Meltdown affects all vulnerable devices running iOS, Linux, macOS, or Windows, though many of the most recent versions of those operating systems have been patched. According to the vulnerability’s disclosure whitepaper, Meltdown can read all physical memory on Linux and iOS, which is of great concern considering the ubiquity of Linux within cloud hosting platforms.

Figure 2 – Official logo of Spectre; https://spectreattack.com/

Spectre (CVE-2017-5753 and CVE-2017-5715) breaks the isolation between different applications, allowing an attacker to trick programs into leaking data. This vulnerability is related to speculative execution, a technique implemented to improve the processing speed and efficiency of a computer system. These vulnerabilities can allow programs that accept requests to be tricked into reading private data and modifying the data cache. An attacking program could then access that data cache to retrieve the private data therein.

These security flaws impact Kernel Address Space Layout Randomization (KASLR), a security mechanism that makes it more difficult for exploits to run because pieces of software are loaded into memory at random locations. Due to this vulnerability, an attacker can more readily identify key kernel data structures. to identify where different parts of programs are located. This is alarming because theoretically, a virtual machine could access the kernel memory of the underlying host machine, as demonstrated by the research group’s proof of concept.

Anticipating the Phish

In order for Meltdown or Spectre to be leveraged in an attack scenario, local code execution is required. A delivery mechanism must therefore be delivered to grant that access. As our readers know, phishing is the most common delivery technique for malware delivery and subsequent access to sensitive and private data. Malicious actors seeking to leverage Meltdown or Spectre would almost certainly use phishing emails to send malware to execute code on the targeted host.

For example, multiple proofs of concept have demonstrated that JavaScript is an effective mechanism for abusing these vulnerabilities. Given that much of the web’s content is powered, in one way or another, by JavaScript, it is an extremely likely candidate for emerging exploits. Unless explicitly prevented from doing so by a plugin, configuration setting, or security solution, web browsers will happily execute all JavaScript present within a web page. The lack of restriction on JavaScript code execution would allow memory harvesting to happen for as long as the web page remained open. The whitepaper states that Meltdown can “dump kernel and physical memory up to 503KB/s.” This means a system with 8GB of RAM can have its entire memory swallowed up within around 4 hours. Naturally there’s transmission latency and other aspects to consider, but this remains nevertheless astonishing. It is sensible to expect phishing lures could be used to direct victims to such delivery points. Just as easily, any other common delivery mechanism could be used—from DDE to OfficeMacro scripting and beyond.

Your Average Hacker Isn’t Likely a Threat, But You Still Must Care

Should a system be exploited by Meltdown or Spectre, the consequences could be dire, and large amounts of data would be compromised. However, these attacks would deliver an abundance of unstructured information. It would require significant resources to parse and identify desired information. This could be more difficult than the challenge of guaranteeing the successful exfiltration of such immense volumes of unordered, raw memory. Given the heavy lift of this task and the many other available options for illicitly retrieving similar information, most threat actors likely would not seek to exploit these vulnerabilities. However, sophisticated actors with sufficient resources and foreknowledge of available information could sort through the massive volumes of data and identify useful information.

Regardless, because the risk to enterprises is so serious, it is critical to be aware of these vulnerabilities given the vast implications for data loss exposure. Proofs of concept have already demonstrated that this vulnerability can be abused to access stored credentials and multiple keys, including SSH, from memory.

Steps to Protect Yourself

Intel and Google have reportedly been developing patches and remediation for Meltdown and Spectre, though it is likely impossible for Spectre to be fully patched. Given that Spectre requires tailoring to the victim process’ software environment, it is less likely to be exploited and less dangerous than Meltdown. Meltdown patches have been released for most operating systems, but not every version. Organizations must be aware of what versions of operating systems they have on their networks and patch accordingly. Unfortunately, the patches essentially change how OS kernels are stored in memory and result in a loss of efficiency.

Patching this critical vulnerability is vital; whether patching a cloud VPS host—thus protecting the residents from memory scraping—or individual machines. If you are a user of cloud service providers, we strongly suggest you stay aware of the service provider’s patching decisions and any consequential latency issues.

The effects of the patches are, unfortunately, cumulative. Systems that have low workloads (that is, the CPU is consistently in or around the single-digit or low teen usage percentages) will likely not notice the performance difference. However, as the baseline CPU usage increases, the impact of these patches compound. In other words, machines that work harder on a regular basis will be affected more than their low-processing peers. Furthermore, the basic rules of network hygiene also apply in mitigating this hazard. Network defenders should continuously educate end users about phishing and empower their users to be human sensors on their network, augmenting and going beyond traditional technical controls.

Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.

Missing in Action: Several Prominent Malware of 2017
Identify, Prioritize, and Respond to Phishing Threats Faster with PhishMe and ServiceNow

Leave a Reply