[Enterprise Security] Meltdown and Spectre

TRY HARDER: A Blog About Discovery


Author: Brennan Turner @BLTSEC
[Enterprise Security] Meltdown and Spectre

Breakdown: It’s really not the end of the world…well depending on who you ask but that’s probably for other reasons than CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754 (Meltdown and Spectre). The situation of Meltdown and Spectre in a nutshell, yes you should patch and install operating system and browser patches. Just be aware that there will be a slight impact on processor performance with the Meltdown patch (if you’re sitting at the 85-90% usage mark already you could possibly cripple your system by patching). For more information regarding degradation on Windows read this article. There aren’t any indicators of compromise, and the details of these exploits were under embargo since last June so it’s possible the exploits have been in the wild and your systems have already been compromised but when enterprise policies allow passwords under 12 characters and running systems with users as local admins is normal then an organization has bigger fish to fry. If an organization is looking at these attacks as the highest priority in their threat model and see these attacks as the gateway an adversary will use in order to gain access to systems on the network they are doing security wrong. The practicality of someone exploiting Meltdown is close to nil when you consider the easier alternatives although I’m sure it won’t take long for someone to weaponize this exploit into existing frameworks. Meltdown is a very powerful privilege escalation attack and I assume we’ll see it used much more reliably and frequently once it can be executed in a framework or standalone tool. However, with Spectre we could possibly see an easier way to use the attacks via a weaponized drive-by javascript attack injected into a malicious site or malvertisement so it’s important you install the browser updates released to mitigate Spectre. So with all of that being said, I think it’s important for organizations to take their time testing and implementing these patches and not risk taking systems offline. At the end of the day, these vulnerabilities would disclose information from a system in which an attacker already has code execution on anyway. Now let’s move on to the collection of resources I have on the details and mitigations of Meltdown and Spectre…so far.

Where they are similar:

  • Meltdown and Spectre exploitation requires code execution on the system
  • Both use speculative execution for part of the attack vector
  • Both are mitigated through software patching

Where they differ:

  • Meltdown affects Intel, Apple (maybe others)
  • Spectre affects Intel, Apple, ARM, AMD
  • Meltdown uses Intel Privilege Escalation+Speculative Execution for full attack method
  • Spectre uses Branch Prediction+Speculative Execution for full attack method
  • Meltdown allows reading kernel memory from user space
  • Spectre allows reading memory from other user’s running processes

This repository contains several applications, demonstrating the Meltdown bug:
https://github.com/IAIK/meltdown

Meltdown PoC: https://github.com/GitMirar/meltdown-poc

Meltdown PoC: https://github.com/paboldin/meltdown-exploit

Spectre PoC: https://github.com/mniip/spectre-meltdown-poc

Spectre PoC: https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6

I listed some PoC’s but as mentioned in the practicality link above an adversary would have to perform quite a bit of debugging to execute these attacks on various architectures.

An issue that has been affecting the availability of the Meltdown patch on the Windows operating system is the rate that the antivirus companies are setting a specific registry key. When the av on the system sets the key this tells Windows that the av application installed on the system is compatible with Microsoft’s patch and can be installed successfully. Here is a Google Sheet that is being updated for various antivirus companies: Patch Compatibility courtesy of Kevin Beaumont. Beaumont stated that SCCM, WSUS, and Windows Update will not receive any further security updates if this registry key isn’t set. In addition Windows Server will not do anything until some registry keys are set even with the updates applied.

MELTDOWN PATCHING:

Meltdown patching can be summed up by what Linux calls Kernel Page Table Isolation (KPTI). Meltdown patches have been implemented for all major operating systems. Patching can cause performance drops up to 30%. For more information on Meltdown and KPTI look here.

Microsoft has also provided PowerShell scripts to validate success after patching. To install, open up the PowerShell (Posh) command prompt and type: Install-Module SpeculationControl article via TrustedSec This article on TechNet shows how to verify Spectre/Meltdown protections remotely.

You can check to see if your Linux systems are vulnerable to Meltdown via this tool https://github.com/raphaelsc/Am-I-affected-by-Meltdown
or by using this tool
https://github.com/speed47/spectre-meltdown-checker

SPECTRE PATCHING:

Mitigations for Spectre: Chrome

Enable Strict Site Isolation flag in Chrome for individuals and organization-wide if using GSuite as well as applying the latest update for Chrome. Enabling Strict Site Isolation hasn’t had a noticeable impact on performance based on my testing.

Mitigations for Spectre: Firefox

Update to the latest version of Firefox to disable SharedArrayBuffer automatically which will help mitigate Spectre.

You can check if your browser is vulnerable to Spectre by using this site http://xlab.tencent.com/special/spectre/spectre_check.html

A note about Qubes OS:

I have been using Qubes for about a month as a daily driver for my job as a programmer, and I plan on writing an article about the experience…stay tuned for more! Since the news of Meltdown I have been looking for an official statement from Qubes and here it is. Basically, it states (depending on some hardware requirements as well as os version) Qubes does protect fully against Meltdown and it will be significantly harder to exploit Spectre. Read more here.

DETECTION:

ENDGAME. has written an article that explains how to detect Spectre and Meltdown using hardware performance counters.

ENTERPRISE ACTION PLAN:

This action plan is provided by RenditionSec:

“six step action plan for dealing with Meltdown and Spectre.”

  1. Step up your monitoring plan
  2. Reconsider cohabitation of data with different protection requirements
  3. Review your change management procedures
  4. Examine procurement and refresh intervals
  5. Evaluate the security of your hosted applications
  6. Have an executive communications plan

https://www.renditioninfosec.com/2018/01/meltdown-and-sceptre-enterprise-action-plan/

FURTHER INFORMATION:

A SANS webcast explains the two vulnerabilities in an easily digestible way and can be found here: Understanding and Mitigating the Threats – Jake Williams

An updated version of the SANS webcast can be found here as well as a link to the slides:

CONCLUSION:

The best site that collects details and mitigations on Meltdown and Spectre can be found here: https://meltdownattack.com/ I will be updating this post as new information arrives but reach out to me @BLTSEC for suggestions or mistakes you may have found. Thanks!