Ideal advisory re Meltdown and Spectre vulnerabilities

5 January 2018

Many of our contacts have asked for our take on the recent announcements relating to the Meltdown and Spectre vulnerabilities. In response, we have been working with our industry partners and have developed the summary briefing below. Hopefully this is useful beyond our immediate network.

Background

  • Both of these vulnerabilities exist due to processor hardware bugs and if exploited, allow programs to steal data which is currently being processed on the relevant computer.
  • Any computing device with a modern processor is vulnerable, which ultimately means all  Desktops, Laptops, Cloud Servers, Smartphones, and IoT devices are at risk.
  • Specific attacks to exploit these vulnerabilities to try and leverage confidential information stored in the memory of running programs are extremely difficult to detect as traces are not left in traditional log files.
  • The greatest area of risk is in shared-hosting scenarios. Fortunately, most cloud providers have already deployed security updates and those that haven’t are expected to do so shortly.
  • For end-users and those managing networks, the greatest risk these vulnerabilities pose is exploitation by malware seeking to gather information like usernames and passwords from systems.
  • As Meltdown and Spectre are locally exploitable conditions, they are not detectable over the network.
  • Antivirus programs can theoretically detect or block this attack by comparing binaries after they become known, but both Meltdown and Spectre are hard to distinguish from regular benign applications
  • Endpoint Protection technologies:  anti-exploitation mechanisms may not protect against exploiting of these vulnerabilities, as the disclosed vulnerabilities are memory read vulnerabilities. However they may be able to detect and prevent initial attack phases (e.g. a malicious EXE attempts to exploit the vulnerabilities)

Advisory

  • Users of shared-hosting (i.e. cloud) services should check with their service provider to confirm they’ve applied security updates to address these vulnerabilities.
  • Ensure that controls to restrict and control access to your hardware infrastructure are current.
  • Ensure you regularly update the passwords of root and any privileged user accounts that have local access to hardware on a periodic basis
  • Because these vulnerabilities affect the processors at the physical layer, the only way for the vulnerabilities to be fully addressed is for the processors to be replaced or to have a firmware update. Customers are encouraged to consult with their equipment manufacturers to patch or mitigate exposure.
  • Until then, the makers of operating systems can (and have) released patches that make the physical-layer vulnerabilities inaccessible. For all intents and purposes, it “patches” the vulnerabilities

 


Image ©David McHugh/Brighton Pictures