The Meltdown and Spectre hardware bugs impact almost every CPU built in the past 10 years (and possibly longer) and allow a low-permission application, potentially even JavaScript code, to read kernel memory. Exploitation is carried out by abusing hardware level optimization in modern CPUs. At the time of publication, this technique has been demonstrated mostly on Intel processors, but there are also abuses against AMD and ARM processors. An important item to note is that these bugs do not use any OS services, making it particularly hard to detect and mitigate at the software level. Currently, these bugs cannot be detected by any modern security solution (it’s also unlikely that many security solutions protect against this attack).
In modern computers, code is separated into two areas: user code, which runs the programs you use every day, and kernel code, which is used to run the operating system. The kernel is a highly privileged area of the computer that controls it’s execution and stores critical data.
How meltdown and spectre could lead to attacks
By allowing regular and even browser-based programs to read kernel memory, the secrecy of kernel data is violated. This could allow two types of attacks:
- Information leak - A low-privilege application may read secret memory and leak it out. This might include keys.
- Stepping stone for further attacks - Modern defense mechanisms (such as KASLR) leverage the fact that the kernel memory addresses are secret and harder to exploit than other kernel components to take over a computer. This bug makes kernel-based attacks easier by enabling attackers to read kernel memory.
How to mitigate this threat
The major OS vendors and cloud providers are issuing patches for their operating systems. These patches (known as KAISER in Linux) introduce an additional separation of kernel and application memory. This new separation ensures that most known mechanism to exploit these bugs are blocked at the core: not only is the application unable to read the memory, from the specific application’s point of view, the memory simply isn’t there.
The main drawback of these changes is that they impact performance whenever a user-application interacts with the kernel (known as syscall). These interactions happen whenever an application attempts to read files, communicate with the network or even draw something on screen. These changes may reduce the performance of chips from 5 percent to as much as 30 percent of the total compute power, depending on the load. In any case, applying critical security patches as soon as possible is always recommended.
Cloud vendors are likely to bring their infrastructure down for a maintenance reboot and everyone should patch their systems. This is especially critical for endpoint machines since they are most vulnerable to browser-based attacks.
In the coming days, computer hardware vendors will start publishing firmware update code. This firmware includes patches from Intel and changes to microcode to make exploiting this code harder. Microcode is code from the CPU vendor that manages the CPU. Applying those patches is also recommended.
endpoint mitigation measures
A JavaScript implementation of this exploit may exist, making browser protection very important. Chrome users should enable “strict site isolation”, a new beta feature from Google, by following the instructions in this link.
Firefox users should pay close attention to updates. Mozilla is pushing a version update that will add mitigations for JavaScript-based attacks using the Spectre and Meltdown bugs. And apply critical bug fixes from OS vendors, especially on endpoints, as soon as possible.
If you are a Windows user, read this page with instructions and additional information from Microsoft. Microsoft’s patch is incompatible with many antivirus products so users need to verify that their antivirus program works with the patch. See this page for more details.
If you are a macOS user, Apple pushed out patches that contain a mitigation. Make sure that all of your endpoints running macOS are updated with the latest patches.
For Linux users, install the latest security patches. This apples to “Linux for Windows” users as well.
How Cybereason Handles the fallout from meltdown, spectre
These bugs are nearly impossible to detect or block by any antivirus, next-generation antivirus or EDR product, and could be used by attackers to enter an environment. The best approach for protecting against an attack exploiting these vulnerabilities is to have a hunting engine constantly looking at everything that happens in your environment and then correlate those events in real time to detect malicious behavior.
Cybereason’s unique architecture ensures our customers are protected against attacks that use these bugs by offering post-execution detection. The platform detects and protects against steps attackers take once they’re in an environment, including lateral movement and command-and-control communication.
Want to learn more about Meltdown and Spectre? Then listen to a webinar Striem-Amit hosted on mitigation measures that companies can take.