Spectre & Meltdown – a week (and a bit) on
It has been just over a week since the Spectre and Meltdown vulnerabilities were released, shaking everyone out of their post-holiday daze. Our previous blog post on the topic discussed the viability of these attacks in the real world – what have we learned since then?
Note: Forcepoint customers should refer to the Knowledge Base article at https://support.forcepoint.com/KBArticle?id=000014933 for Spectre/Meltdown mitigation and patching advice for all Forcepoint products. New information is posted to the KB article as it becomes available.
Meltdown
The majority of OS vendors have now released patches against the Meltdown vulnerability, although for some the name has proven surprisingly apt: the patch had some pretty notable effects for some service providers.
For example, Microsoft halted the rollout of patches to certain AMD-based systems and those running some antivirus packages as a result of machines ending up in an unbootable state.
While the latter ‘bluescreen’ issues were unforeseen, the performance issues were largely expected prior to the rollout of the patches: the effects of using ‘KAISER’ separation of user and kernel address space on the performance of applications that need to make frequent calls to kernel functions (i.e. network access, disk access, etc.) were well understood within the technical community some time before the patches rolled out.
Ultimately, though, patches have rolled for Meltdown and everyone should be able to rest peacefully at night (assuming they’ve applied the patches according to the vendor guidance).
Spectre
Rather more complex is the matter of Spectre, which effectively describes a class of side-channel timing vulnerabilities. As such, at least two avenues of attack using Spectre have been identified which we’ll refer to as browser-Spectre and kernel-Spectre.
Looking at browser-Spectre first, not all of the browsers have updated their JavaScript engines to protect against this yet (Chrome, for example, report that mitigations will be included from Chrome 64, slated to be released on 23 January 2018). On the other hand, while it appears that a number of browsers are or were vulnerable, researchers don’t appear to have been successful in using the technique to extract useful information.
Kernel-Spectre initially caused more concern as it could not be mitigated with an operating system patch – indeed, there were initial concerns that we may even have to wait for a new generation of CPUs to see any real protection against the vulnerability.
As it turns out, Intel and AMD are releasing updates to mitigate against Spectre so there’s no need to wait for a whole new cycle of CPUs to be released. On the down side, it’s likely that these updates will have a performance impact across a far wider range of applications than the Meltdown patches being, as they are, related to the way the CPUs operate at a quite fundamental level.
Recommendations
Forcepoint Security Labs continue to recommend adherence to a robust patching policy: while there are known performance implications associated with some of the patches provided by vendors, for most organisations it is likely desirable to accept this impact for peace of mind.
Equally, it should be borne in mind that patches both from software vendors (e.g. Microsoft, Apple, Linux distributions, etc.) and hardware vendors (e.g. Intel, AMD, SAN vendors, motherboard vendors, etc.) may need to be applied to achieve the maximum coverage against these exploits.
Forcepoint customers should refer to the Knowledge Base article available at https://support.forcepoint.com/KBArticle?id=000014933 for mitigation and patching advice for all Forcepoint products.
Conclusion
As discussed in our previous post, the CPU-level vulnerabilities (i.e. kernel-Spectre and Meltdown) are relatively difficult to exploit and require gaining access to the target machine with permission to run code before exploiting the vulnerability. This significantly reduces the number of targets against which one might want to use the vulnerabilities: typically, if you have shell access to a machine you’ve already ‘won’ and have no need for something as technically tricky as Meltdown or Spectre.
Instead, the situations where one might want to use the techniques revolve around reading data on the host system from within a virtual machine. Though these are technically significant vulnerabilities, the scenarios under which they may be genuinely useful to a malicious actor are limited.
Forcepoint will continue to update this blog with new research, recommendations and product information.
