The So-Called Intel Bug

Author(s):  
Eric Rand,

Two named bugs dropped on January 3rd, both concerning the way in which modern CPUs work. The manner in which the so-called "Meltdown" and "Spectre" vulnerabilities function is beyond the scope of this article, but it is important to note that more than Intel's CPUs are affected.

The 'Meltdown' vulnerability has been addressed by major cloud infrastructure providers, and patches for Windows and MacOS are available; patches for other operating systems should be available in very short order. These patches should be considered an urgent priority, as, unmitigated, this vulnerability allows for anyone who can run a program on a machine [including javascript] to access anything else that the CPU processes.

Unfortunately, the patch for Meltdown results in significant decrease in CPU performance for certain workloads.

'Spectre' is very similar in nature, but there are no patches for this as of yet - and, unfortunately, the way in which it works is such that only individual known attacks can be patched against; unlike 'Meltdown' it is not possible to craft a generic patch to handle this vulnerability.

The only way to properly fix both vulnerabilities is to replace CPU hardware entirely.

Unfortunately, nearly all intel hardware for approximately the past 25 years is affected; AMD hardware and ARM hardware is also vulnerable to Spectre. These problems necessitate complete redesign of existing CPU architectures and the new designs will not be available for several years, in all likelihood.

Mitigation of these issues will be long and involved, and system owners should consider the following aspects:

First, in traditional workstation and datacenter architectures, the vulnerability surface - the places where you can be attacked - for these issues will be much the same as the existing attack surface for ransomware, albeit slightly more severe. Mozilla has confirmed that at least Meltdown can be performed via Javascript; proof-of-concept for Spectre is likely not far behind.

Mitigating the browser attack surface involves updating your browsers to the latest versions - see https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ - and invoking site isolation in Chrome - https://support.google.com/chrome/answer/7623121?hl=en-GB - to assist with keeping javascript exploitation to a minimum. Also, consider using "uBlock Origin" or some form of DNS sinkholing of advertising domains to mitigate the risk of malvertising; many modern web advertisements include javascript that can be used for exploitation.

Likewise, PDFs can contain javascript; MS Office document macros have not been shown to have a proof-of-concept exploit of yet, but it is highly likely that they will not be too far behind. Accordingly, all email attachments of this type - and compressed archives, as these can contain executable scripts of various kinds - should be regarded with suspicion.

Turning off email client execution of javascript is a must.

It is very unlikely that antivirus programs will be able to reliably detect exploits based on these vulnerabilities with any real reliability. Accordingly, though it may be disruptive, it may be necessary [depending on your environment's business needs and the risk you are prepared to accept] to disallow non-plaintext email and attachments.

If your organization can support it, workstation environments with whitelisted programs - environments where only authorized programs can execute - can help defend against these attacks.

Secondly, if your organization has a significant cloud presence - whether full tenancy or a hybrid architecture - a different scope of attack surfaces come into play.

As mentioned above, the major providers have patched for Meltdown. However, as mentioned, no patch exists for Spectre - and no general patch can exist for it.

This has already resulted in decreased performance being noted for some customers of cloud providers, which may result in increased expense due to the need to provision more instances for a given workload.

Certain 'bare metal' providers that can guarantee single tenancy of given machines will be less affected overall, but those who adopt the usual model of massive multitenancy on large machines will see continued problems pertaining to exploitation of Spectre, as any tenant on such a machine may be able to read information pertaining to any other tenant on the same machine.

This may result in compliance questions pertaining to the confidentiality requirements of HIPAA and other, similar compliance regimes.

Mitigation of cloud-side Spectre concerns will require guarantees from providers as to who is a tenant on any particular cloud instance - and extra expense to account for the decreased performance of any particular instance, as well as increased expense for singe-tenancy environments, if guaranteeing against other parties' potential collection of your cloud-hosted assets is a business or compliance requirement.

Thirdly, for environments making use of virtualization - e.g. Hyper-V or esxi - all of the above concerns apply. Each server, and each image running on the server, must be patched against Meltdown; and there is the continued concern of Spectre providing the potential for any resident being potentially able to access resources belonging to any other resident.

The Meltdown and Spectre bugs are severe in nature and of specific, definite concern. Organizations will need to address the specific and pervasive risk of information leakage from these issues, and take specific mitigative measures.

More information can be found at https://meltdownattack.com/ or by talking to your Castra consultant, who will also be able to help you analyze your threat environment and determine which mitigative measures are most appropriate for your situation.