Naming a vulnerability helps when discussing it, as technical names, such as CVE-2018-1234, don't capture people's...
attention. Sometimes, when a particular vulnerability has many different components in different products and affects different vendors, it helps to name the vulnerability to categorize it.
Two new branded vulnerabilities that even have their own logos were announced in January 2018: Meltdown and Spectre, which are side-channel timing vulnerabilities. There has been significant discussion of the impact of these vulnerabilities, which has resulted in many enterprises rushing to apply patches as they were released.
The impact of these vulnerabilities on cloud systems and applications is high, and timely patching is absolutely critical; however, their impact on endpoints is not as clear.
This tip will discuss the Meltdown and Spectre vulnerabilities and how enterprises can defend against them.
Meltdown and Spectre
Many times, information security is very focused on operating systems, applications and users, while physical and hardware security is often ignored. Physical security is often outside the scope of information security teams, who rarely deal with hardware security. There may be some things information security teams can do to address hardware security problems, but without hardware security at the base, it may be difficult to adequately secure a system.
Hardware security features are critical for process isolation to provide privilege separation and prevent a regular user from running code as a privileged user or from gaining unauthorized access to shared resources, like a shared cache. Furthermore, hardware security may be most prevalent when updating the BIOS of a system.
The Meltdown and Spectre vulnerabilities were publicly disclosed in January, but were privately disclosed to the relevant parties in June 2016 for a coordinated response. Meltdown is a vulnerability in isolation between user applications and operating systems on Intel-based systems where an unprivileged process can bypass memory protections to gain unauthorized access to system memory.
Meanwhile, Spectre is a vulnerability in speculative execution in the CPU that enables an attacker to trick an application into leaking its secrets in memory. Speculative execution is used to maximize the performance of the CPU.
The attacks target CPUs from Intel, AMD and ARM, which represent an extremely large percentage of devices. Both attacks use side-channels attacks to read data from the targeted memory location and can access sensitive data in memory, such as passwords or encryption keys stored in secure enclaves. They also both require codes to run on the local system and are essentially privilege escalation vulnerabilities.
For cloud systems, virtual hosting systems and servers, these privilege escalation vulnerabilities have a significant impact, but there could be less of an impact on endpoints, where many users still have administrative or privileged access. Endpoints may have many different privilege escalation vulnerabilities in the OS and within applications, so these new vulnerabilities would be among those present.
Enterprise defenses against Meltdown and Spectre vulnerabilities
Even though enterprise defenses for hardware vulnerabilities can be more complicated than typical software patches, having a plan to respond to hardware vulnerabilities and to assess the risk they pose to your enterprise can help determine the appropriate response.
Many times, hardware vulnerabilities have software patches to address them, and there are multiple patches, BIOS updates and firmware updates available for Meltdown and Spectre. The impact of patching these vulnerabilities seems to vary based on the system, CPU and workload.
However, there have been some reports of significant slowdowns caused by the patches, as some of them were broken and have even been removed and replaced. Microsoft also offers patches, but has reported issues with antivirus software compatibility, so you should test the patches before deploying them in production.
Depending on the application you use, such as a web browser, there may be application-level patches. Addressing these vulnerabilities will require that you pay attention to the OS and application stack until the CPUs are redesigned and replaced.
The Meltdown and Spectre vulnerabilities affect traditional desktop and laptop systems. These systems, along with IoT systems, embedded systems, supervisory control and data acquisition systems, and industrial control systems, will need to be patched, but the latter may be more difficult to secure.
There is no questioning the impact that the Meltdown and Spectre vulnerabilities have on cloud systems and shared hosting environments, and both required careful coordination with immediate action. Endpoints are vulnerable, and may be as difficult to patch as servers; however, the impact of a privilege escalation vulnerability is limited to a specific endpoint, which may lessen the impact.
Because these vulnerabilities are present in many different architectures, it will take additional analysis and time for the vulnerabilities to be fully explored by researchers and addressed by manufacturers.
Researchers may continue to find new variants that require updated patches when CPU designs are updated and rolled into service. As a result, hardware vendors will continue to update their responses and mitigation steps.