January 5, 2018

Independent Computer security researchers from Google’s Project Zero, Cyberus Technology, and Graz university have discovered two major security flaws in the microprocessors (CPUs) inside nearly all of the world’s computers. The two CPU design flaws, called Meltdown and Spectre, could allow hackers to steal the entire memory contents of mobile devices, personal computers & servers, and cloud networks.

Meltdown is a vulnerability that allows hackers to bypass the hardware barrier between user applications and the computer’s core memory. Core memory is normally isolated and highly protected. On vulnerable systems, Meltdown allows user programs to read from private and sensitive kernel address spaces, including kernel-sharing sandboxes like Docker. This vulnerability cannot be completely fixed by software; however, Google, Apple, Redhat, Microsoft, and other operating system vendors are working towards a fix and providing patches. Intel CPUs are affected by this vulnerability, although AMD and ARM appear to be immune to Meltdown (with the exception of ARM’s upcoming Cortex-A75, which is impacted). Any fixes to this vulnerability can reduce CPU performance.

Spectre is a vulnerability that may allow malicious processes access to the contents of other programs’ mapped memory. It could potentially allow hackers to trick and get to confidential information via a side channel during speculative execution (see below) processes.

What is the issue?

The chip’s kernel is leaking memory because of how it handles a core capability known as speculative execution. Speculative execution is an optimization technique where a computer system performs a selected task that may not actually be required. All modern CPUs adopt this technique (to one degree or another) to increase CPU performance by allowing the core to perform calculations it may need in the future. An attacker can exploit the CPU’s vulnerabilities to expose extremely sensitive data in your protected kernel memory, such as cryptographic keys, passwords, personally identifiable information, and emails, among other data.

How serious?

Meltdown is probably one of the worst CPU bugs ever found, according to Daniel Gruss, who discovered the flaw. This problem needs immediate attention. Anything that runs as an application could, in theory, steal your data, including something as simple as JavaScript from a web page viewed in a browser. Spectre is more a hardware vulnerability – a favorable situation during execution, which hackers can take advantage of. But this is harder for the hackers. At the same time, it also more difficult to fix—a chronic condition without a cure at this time. A point to note here is that the nature of the fixes needed to protect against Meltdown could have a significant performance impact. Some experts speculate the fixes would slow performance of certain tasks by 30%. The good news is that general browsing and computing activities are unlikely to be affected, though there could be a performance impact in areas where there are intense File/IO activities. For example, virtualized environments can become slower.

How do I know if my system is at risk?

The short answer is:  It is.

Google says, “effectively every” Intel processor released since 1995 is vulnerable to Meltdown, regardless of the Operating System you’re running. Chips from Intel, AMD, and ARM are susceptible to Spectre attacks, though AMD says its hardware has “zero” and “near zero” risk to the two known Spectre variants because of the way its chip architecture is designed.

What can I do to mitigate the issue?

The best thing to do right now is update your system with operating system and other patches related to this vulnerability issued by the operating system vendors.

Many vendors have issued patches/updates to mitigate the vulnerabilities:

  1. Mozilla released an advisory stating that older versions of Firefox are susceptible to these attacks. All Firefox users should upgrade to Firefox 57 for the extra protection – advisory.
  2. RedHat has released an advisory.
  3. Google has posted a list of affects products here and will be providing updates.
  4. Chrome is expected to be patched on January 23, 2018.
  5. Apple quietly protected against Meltdown in macOS High Sierra 10.13.2, which released on December 6, according to developer Alex Ionescu. Additional safeguards will be found in macOS 10.13.3, he says. Apple will be providing their patches shortly for other macOS versions. Apple is not clear if iPhones and iPads are at risk.
  6. Major cloud services providers including Amazon Web Services, Google Cloud Platform, and Microsoft Azure have already patched the majority of their services and will be releasing fixes for the rest in the near future.
  7. Reports says Google has updated majority of their systems, however some additional customer action might be needed.
  8. Microsoft provided a list of products that are affected.
  9. Microsoft Azure released an advisory.
  10. Nvidia has released an advisory stating that they believe their GPUs are not affected by this but will continue investigating.

You can also check US-CERT (United States Computer Readiness Team) for a comprehensive vendor list in their latest alert.

This is a changing situation so please keep checking the websites of your device makers or the operating system vendors or service providers for further updates. Install the available patches/updates as soon as possible. As always, before deploying any patches/updates on a critical server, make sure to deploy the patches in your test environments and ensure that your organizational backup policies are fully implemented.

Blog by REI Systems’ Srikanth Devarajan (Enterprise Architect) and Narpender Bawa (Director, Information Security)