Serious Meltdown and Spectre Flaws Make CPUs ExploitableModern Processors From Intel, AMD and ARM Vulnerable to Kernel Data Theft
"Replace CPU hardware."
That's the only full solution listed by Carnegie Mellon University's CERT Coordination Center for serious flaws in microprocessors that run millions of PCs, cloud services, servers, smartphones and other devices.
Thankfully, many security experts believe that full-blown hardware replacement is an option that few individuals or organizations will have to seriously consider when mitigating the flaws.
But they do recommend patching without delay (see Meltdown and Spectre: Patches and Workarounds Appear).
The CPU flaws, known as Spectre and Meltdown, exist in millions of modern processors built by Intel, AMD and ARM, leaving them and the operating systems that run their hardware vulnerable to remote attacks that could steal data directly from the systems. In particular, information leaks could be triggered via side effects of speculative execution, a CPU optimization technique, to steal data from the kernel, which is the code that runs CPUs. Such attacks could leave encryption keys, passwords and sensitive data in open and running applications exposed to remote attackers.
"Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, [potentially malicious] applications can access system memory," according to a group of researchers who independently discovered the flaws. "Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location."
The researchers say exploitations of Meltdown or Spectre would likely leave no trace.
The attacks could also be used to gain access to all instances on a virtual machine or cloud server. "Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host," Google's Matt Linton and Pat Parseghian say in a blog post.
The only full fix comes by replacing flawed processors, which in practice would mean acquiring new systems. "The underlying vulnerability is primarily caused by CPU architecture design choices," CERT/CC's vulnerability alert reads. "Fully removing the vulnerability requires replacing vulnerable CPU hardware."
Thankfully, patches and workarounds for the flaw are starting to appear. Some reports have suggested that the workarounds may result in decreased processor speed because the fixes require disabling "speculative execution," which is a time-saving feature.
Intel, however, has tried to downplay such assertions. "Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time," Intel says in a security alert.
Three Attacks Identified
Researchers have identified three attacks that could be used to exploit vulnerable processors:
- Variant 1: Bounds check bypass (CVE-2017-5753);
- Variant 2: Branch target injection (CVE-2017-5715);
- Variant 3: Rogue data cache load (CVE-2017-5754).
The Spectre attack refers to attack variant one and two; Meltdown refers to variant three.
"For a few Intel and AMD CPU models, we have exploits that work against real software," Google's researchers report.
"All three attack variants can allow a process with normal user privileges to perform unauthorized reads of memory data, which may contain sensitive information such as passwords, cryptographic key material, etc.," they say. "There is no single fix for all three attack variants; each requires protection independently. Many vendors have patches available for one or more of these attacks."
Real-World Threat: Mostly Low
Patch but don't panic, security experts advise. "This is the sort of problem that affects vast swathes of machines, is serious enough that it needs to be fixed but the likelihood of it being used - if you practice good security hygiene - is relatively low," says Alan Woodward, a computer science professor at the University of Surrey.
In part, that's because it's not clear that Spectre or Meltdown attacks are practical for anyone except well-resourced nation-states' intelligence apparatuses.
"It's remarkably hard to make use of snippets of memory you can retrieve anyway. Think about Heartbleed," Woodward says, referring to a vulnerability in OpenSSL, an open-source implementation of the SSL and TLS protocols that's used to secure data sent between clients and servers, that was discovered and publicly detailed in 2014, when patches and fixes were released (see Heartbleed Lingers: Nearly 180,000 Servers Still Vulnerable).
"Was it ever actually used in the wild by criminals?" he says. "This is the [same] sort of complex side-channel attack that you use against high-value targets - it takes a lot of effort, assuming it hasn't been closed off altogether already by patching, and the return is not that great. It may be used by nation-states, but criminals like easier meat. I'd worry about ransomware more."
Coordination Comes Apart
Google's Project Zero says it developed proof-of-concept exploits for Meltdown and Spectre and reported the flaws to Intel, AMD and ARM on June 1, 2017. As part of a coordinated vulnerability program, all involved researchers and notified organizations agreed to not publicly announce the flaw until Jan. 9. But efforts by other researchers led to increased attention on the flaw, leading Google and others to publish full details of the vulnerability on Wednesday.
"I must confess a few of us thought there was something bubbling under when we saw the research papers earlier last year," Woodward says, referring to the Meltdown and Spectre research. "That obviously spurred others" - notably Google - "to look more closely."
Bug bounty expert Katie Moussouris, CEO of consultancy Luta Security, says the premature disclosure demonstrates the difficulty of attempting to coordinate so many organizations and such big fixes.
Today, infosec Twitter (re)learned the following are hard:— Katie Moussouris (@k8em0) January 3, 2018
1. Fixing design bugs in chips
2. Multiparty Coordinated Vuln Disclosure
3. Differentiating authoritative fact vs speculative hype
4. Holding embargoes
5. Naming things so they don't sound goofy #Meltdown #Spectre pic.twitter.com/K6lSqfwmQu
Intel CEO's Stock Trades Raise Questions
One senior executive whose company's wares are vulnerable to Meltdown and Sceptre is facing questions about whether he inappropriately used knowledge of the vulnerability information in advance of it being made public, for personal gain.
A Securities and Exchange Commission filing in late November by Intel reported that CEO Brian Krzanich sold a large chunk of his Intel stock for about $39 million, apparently netting about $25 million. According to a Motley Fool report, that move left Krzanich with the bare minimum of stock that an Intel CEO would be required to own.
In the wake of last year's Equifax breach, the SEC has signaled that it plans to tighten requirements for when senior executives are allowed to sell stock, including during the period after which a security problem has been discovered, but before it has been made public (see SEC Plans Cybersecurity Guidance Refresh: What to Expect).
But an Intel spokeswoman tells Information Security Media Group that "Brian Krzanich's sale is unrelated" to the timing of the CPU flaws being discovered or remedied. "It was made pursuant to a pre-arranged stock sale plan (10b5-1) with an automated sale schedule," she says. "Brian continues to hold shares in-line with corporate guidelines."
Patching: The Long Tail
Rather than replacing devices that have vulnerable processors, many information security experts expect that patches and workarounds now being rushed out will be good enough for many, and that only critical environments might need to look at ripping and replacing systems that use the flawed CPUs.
But as previous flaws of this nature have shown, many devices never get patched and continue to be used. And that leaves those organizations and individuals at increased risk from malware-wielding attackers.
"The patches will be available within days, but as with Heartbleed there will be a long tail of those who don't patch," Woodward says. "Obviously, it'll need to be designed out in the microarchitecture of future chips, but the interesting technical question is how can they maintain performance without the sort of mechanism that this is exploiting."
Cybersecurity expert Chris Pierson, CEO of risk advisory firm Binary Sun Cyber, says the CPU flaws are a reminder that engineers need to be taught not just how to build great technology but also more secure technology. "We need to focus on how we are training our engineers to imagine differently and attack what they create to ensure more secure systems from the ground up," he says.
Lessons to Learn
As with Heartbleed and other flaws discovered before and since, the future will inevitably see more major flaws get discovered that put a large swath of a business's systems at risk, says David Stubley, head of Edinburgh, Scotland-based incident response and penetration testing firm 7 Elements.
So plan for these types of scenarios in advance in part by putting in layers of information security defenses designed to block undiscovered attacks from succeeding. "Obviously, prevention is better than cure, and putting in place defenses against attacks should always be a priority," he says. But ideally, organizations will also be practicing a risk-based approach that prioritizes "detecting problems, reacting to them and recovering as quickly as possible," no matter what they are, he says (see Ransomware School: Learn Lessons From How Others Fail).