Last week we featured the Spectre and Meltdown revelations which discussed announcements from academics and industry experts about a couple of ways to manipulate functionality of CPUs to harvest data from memory which should be hidden.
Since we released our advisory (not to mention the blog) we have had feedback from customers and colleagues which have led to some lively discussion. Why so lively, you might ask? Well, we rated these announcements as critical and recommended that you all get patching when you can. We would like to use this week’s blog to clarify what we mean and why.
Taking it from the top and to make sure we are all on the same page, let’s review the facts, hopefully in an unambiguous way (shots fired, hands over ears, incoming).
The Spectre and Meltdown vulnerabilities exploit processor functionalities which are intended to increase performance, however this is at the expense of security due to the fact that the optimisation techniques run outside of program security controls. Unfortunately having worked their optimisation magic, the data fetched is exposed to the naughty exploiting code.
- Spectre affects pretty much every CPU ever, Meltdown affects all Intel Chips
- These features of chips have been exploitable for years 1995 onwards.
- Because of where and how the instructions are executed, there will be no logs generated. Equally the code to exploit these features is not detectable by traditional antivirus, intrusion prevention or other security controls. Have these been used against you in the past, who knows?
- Proof of concept code for both is in the wild currently and we believe it is only a matter of time before they become part of criminal malware attacks.
- Azure and AWS patched their environments post haste following the announcements. What do they know?
If you have any issues with the above, please fill in the comments form below and we can arrange a debate. We will win.
So what should you patch and why, what are the issues around patching?
The primary issue is that these are exploits against hardware – operating system patches will therefore have a few, in fact a truckload of limitations:
- They may not solve the problem entirely.
- They will have to radically change the way that applications and memory interact.
- This will have performance issues. – workload dependent, but people who are clocking high CPU or memory i/o on production applications will suffer from reduced performance.
- They may not play nicely with other applications (AntiVirus for instance).
- They may break stuff (in fact they do break stuff).
- You may have to actually patch your firmware, which is a total nightmare in an enterprise environment.
So what Is the risk?
Amazon and Azure patched their stuff promptly because they have no control over the behaviour of the environments they host. If Customer X’s virtual environment is infected then world+dog’s data is at risk.
In the corporate world, having considered the issue, this is what we think:
User computing – Advice: Update but make sure to test first, check AntiVirus interoperability and all chipsets, be cautious with AMD devices.
There is a high risk that these issues will be exploited by organised crime, just like ETERNALBLUE (used in WannaCry etc.). The timeframes for this are not clear but PoC code is manifest on GitHub currently. Because of this, machines which access the Internet and receive inbound mail may become victim to infection through phishing or via infected websites. Regular detection mechanisms to identify unusual activity to external hosts, or anomalous behaviour generally may help identify this, but machine logs will not. Patches of user machines should be tested and implemented as soon as possible.
In targeted attacks, these techniques will augment well established privilege escalation methods such as pass-the-hash and GoldenTicket because they can be used to read cached credentials, cryptographic keys and the like. We think that some nefarious outfits may have been doing this for some time, just saying.
Cloud computing – Advice: make sure that your cloud provider has patched
Watch out for your CPU utilisation, especially in database intensive applications
Internal Server infrastructure – Advice: Your call
As professional security types, there is no way that we would advise against patching, however If you have internal servers which have no access to the Internet, they do not access Web Servers and do not receive content, you probably do not need to panic.
Infrastructure equipment (routers, firewalls and the like) – Advice: Vendor’s call
Remote access equipment (virtual desktop, remote support, Citrix, RDP) – Advice: PATCH PATCH PATCH
In summary (in our opinion), these are very significant issues, they will haunt us for some time like a ermm Spectre, funny that. Time will tell.
If you would like us to discuss the risk of Meltdown and Spectre in your environment, please contact us at: [email protected] or call 0207 517 3900 and we will do our best to help. Please understand that we really do believe that this is coming down the road. Go over it, go under it but please don’t go through it.
At our annual security event on January 31st, held at the Banking Hall, we will be discussing this, we may even have two break out rooms. One for the full argument and the other for those wishing to sign up to a course. If you haven’t registered you are missing a trick as we have two of the world’s leading security experts as guest speakers:
- Ron Moultrie – Former Operations Director US National Security Agency
- Lt General Sir Graeme Lamb – Former Director of UK Special Forces and Commander of the British Field Army
It is going to be informative and entertaining, includes breakfast and lunch and gets you out of the office. There will be prizes. Subscribe here.