Meltdown and Spectre Vulnerability

Published On: Feb 22, 2018 07:03

Advisory No:

Source:  Google, National Cybersecurity and Communications Integration Center (NCCIC).

Software Affected:

Overview

Description

Date of First Release: 2018-01-03. Source: Google, National Cybersecurity and Communications Integration Center (NCCIC). Product affected:  Modern microprocessors (CPUs) which use speculative execution techniques to optimize performance including AMD, Apple, Arm, Google, Intel, Linux Kernel, Microsoft, Mozilla and other more. Overview: CPU hardware implementations are vulnerable to side-channel attacks. These vulnerabilities are also referred as Meltdown and Spectre; they do affect most modern processors (CPUs) which use speculative execution technique to optimize performance. Description: The vulnerability is due to improper implementation of the speculative execution of instructions by the affected software. This vulnerability can be triggered by utilizing branch target injection. An attacker could exploit this vulnerability by executing arbitrary code and performing a side-channel attack on a targeted system. A successful exploit could allow the attacker to read sensitive memory information, including accessing memory from the CPU cache. Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, exploitation has been carried out against real software. Impact: A successful exploit could allow attacker to execute arbitrary code with user privileges to achieve various impacts on targeted systems including; gaining access to sensitive information, accessing CPU cache memory and weaken kernel-level protections. Moreover, further findings have revealed gradual systems performance degradation up to 30 percent as well as availability issues in some cloud services. Solution: Users and administrators are encouraged to refer to their OS vendors to avail the most recent information and apply patches. However, it has been established that, in some cases, patching may not fully address these vulnerabilities since they exist in CPU architecture rather than in software. In this regard, replacement of the affected processor with the new one may be deemed necessary in the worst case scenario. Additionally, users and administrators who rely on cloud infrastructure should work with their service providers to mitigate and resolve any impacts resulting from host operating system patching and mandatory rebooting. References:

  1. https://www.us-cert.gov/ncas/alerts/TA18-004A
  2. https://www.kb.cert.org/vuls/id/584653
  3. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel
  4. https://www.jamf.com/jamf-nation/discussions/26646/cpu-hardware-vulnerable-to-side-channel-attacks-meltdown-and-spectre
  5. https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
  6. https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

Impact

A successful exploit could allow attacker to execute arbitrary code with user privileges to achieve various impacts on targeted systems including; gaining access to sensitive information, accessing CPU cache memory and weaken kernel-level protections. Moreover, further findings have revealed gradual systems performance degradation up to 30 percent as well as availability issues in some cloud services.

Solution

Users and administrators are encouraged to refer to their OS vendors to avail the most recent information and apply patches. However, it has been established that, in some cases, patching may not fully address these vulnerabilities since they exist in CPU architecture rather than in software. In this regard, replacement of the affected processor with the new one may be deemed necessary in the worst case scenario. Additionally, users and administrators who rely on cloud infrastructure should work with their service providers to mitigate and resolve any impacts resulting from host operating system patching and mandatory rebooting.

References

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Report Incident