TRY HARDER: A Blog About Discovery
Author: Brennan Turner @BLTSEC
[Enterprise Security] Meltdown and Spectre
Where they are similar:
- Meltdown and Spectre exploitation requires code execution on the system
- Both use speculative execution for part of the attack vector
- Both are mitigated through software patching
Where they differ:
- Meltdown affects Intel, Apple (maybe others)
- Spectre affects Intel, Apple, ARM, AMD
- Meltdown uses Intel Privilege Escalation+Speculative Execution for full attack method
- Spectre uses Branch Prediction+Speculative Execution for full attack method
- Meltdown allows reading kernel memory from user space
- Spectre allows reading memory from other user’s running processes
This repository contains several applications, demonstrating the Meltdown bug:
Meltdown PoC: https://github.com/GitMirar/meltdown-poc
Meltdown PoC: https://github.com/paboldin/meltdown-exploit
Spectre PoC: https://github.com/mniip/spectre-meltdown-poc
I listed some PoC’s but as mentioned in the practicality link above an adversary would have to perform quite a bit of debugging to execute these attacks on various architectures.
An issue that has been affecting the availability of the Meltdown patch on the Windows operating system is the rate that the antivirus companies are setting a specific registry key. When the av on the system sets the key this tells Windows that the av application installed on the system is compatible with Microsoft’s patch and can be installed successfully. Here is a Google Sheet that is being updated for various antivirus companies: Patch Compatibility courtesy of Kevin Beaumont. Beaumont stated that SCCM, WSUS, and Windows Update will not receive any further security updates if this registry key isn’t set. In addition Windows Server will not do anything until some registry keys are set even with the updates applied.
Meltdown patching can be summed up by what Linux calls Kernel Page Table Isolation (KPTI). Meltdown patches have been implemented for all major operating systems. Patching can cause performance drops up to 30%. For more information on Meltdown and KPTI look here.
Microsoft has also provided PowerShell scripts to validate success after patching. To install, open up the PowerShell (Posh) command prompt and type: Install-Module SpeculationControl article via TrustedSec This article on TechNet shows how to verify Spectre/Meltdown protections remotely.
You can check to see if your Linux systems are vulnerable to Meltdown via this tool https://github.com/raphaelsc/Am-I-affected-by-Meltdown
or by using this tool
Mitigations for Spectre: Chrome
Enable Strict Site Isolation flag in Chrome for individuals and organization-wide if using GSuite as well as applying the latest update for Chrome. Enabling Strict Site Isolation hasn’t had a noticeable impact on performance based on my testing.
Mitigations for Spectre: Firefox
Update to the latest version of Firefox to disable SharedArrayBuffer automatically which will help mitigate Spectre.
You can check if your browser is vulnerable to Spectre by using this site http://xlab.tencent.com/special/spectre/spectre_check.html
A note about Qubes OS:
I have been using Qubes for about a month as a daily driver for my job as a programmer, and I plan on writing an article about the experience…stay tuned for more! Since the news of Meltdown I have been looking for an official statement from Qubes and here it is. Basically, it states (depending on some hardware requirements as well as os version) Qubes does protect fully against Meltdown and it will be significantly harder to exploit Spectre. Read more here.
ENDGAME. has written an article that explains how to detect Spectre and Meltdown using hardware performance counters.
ENTERPRISE ACTION PLAN:
This action plan is provided by RenditionSec:
“six step action plan for dealing with Meltdown and Spectre.”
- Step up your monitoring plan
- Reconsider cohabitation of data with different protection requirements
- Review your change management procedures
- Examine procurement and refresh intervals
- Evaluate the security of your hosted applications
- Have an executive communications plan
A SANS webcast explains the two vulnerabilities in an easily digestible way and can be found here: Understanding and Mitigating the Threats – Jake Williams
An updated version of the SANS webcast can be found here as well as a link to the slides:
The best site that collects details and mitigations on Meltdown and Spectre can be found here: https://meltdownattack.com/ I will be updating this post as new information arrives but reach out to me @BLTSEC for suggestions or mistakes you may have found. Thanks!