Cybereason Blog | Cybersecurity News and Analysis

Meltdown and Spectre Questions Answered

Written by Fred O'Connor | Jan 8, 2018 9:04:12 PM

From how Spectre and Meltdown differ to how patching will impact machine performance to what's behind the news that applying patches will blue screen computers, Cybereason CTO Yonatan Striem-Amit received several questions from people who attended our webinar on what security professionals should know about these hardware flaws. In this blog, he answers many of those questions. And if you want to learn more about these vulnerabilities, including what mitigation measures to implement, check out a blog Striem-Amit wrote.

ARE SPECTRE AND MELTDOWN SEPARATE FLAWS?

Spectre and Meltdown are very similar flaws, but they are actually three separate vulnerabilities. Meltdown is specific to Intel processors and is, by far, more easily exploitable. It is also more easily mitigatable and is addressed by recent patches from Microsoft, Apple and Linux. Spectre is an attack against two classes of issues, affecting Intel, AMD and ARM CPUs. These attacks are harder to exploit, but also much harder to mitigate. OS and CPU vendors are still trying to figure out the best mitigations.

Would pcaps allow you to detect the IOCs for these attacks?

Generally, no. Some manifestations of these attacks will use plain-text JavaScript code that might be detectable by network traffic. But these will be the exception.

Are networking devices at risk?

Both classes of attacks require the adversary to run low-privilege code on the attacked machine so the risk to networking devices is low. The exception is devices that allow customer controlled code. We may see bizzare things like attacks against printers by abusing postscript code, but, to the best of my knowledge, this hasn’t happened.

Just for clarification, the new Windows patch will not patch the vulnerability unless a regkey is set?

Correct. The Microsoft patches are inactive unless explicitly activated by an antivirus solution running on the machine. They have a high risk of blue-screening the machine if activated with an unsupported antivirus.

From a monitoring perspective, are there not kernel-based codes that are sent to logs for detection purposes?

Generally there’s very little that is loggable. That’s the risk of this attack. It can be done with almost no interaction between the software running and the kernel. There are some minor side effects that can potentially be used for detection and we’re researching these options.

How would an exploit be delivered and is the risk rating critical?

The most likely scenario is using malicious JavaScript. For example, malvertising could be used. That’s when malicious JavaScript code is used in an advertisement placed on a legitimate website. Other malware could use this technique as well and it is likely to become a tool used by hackers to circumvent kernel protection. The risk when using JavaScript: critical. An example would be a malicious JavaScript code that can read the contents of kernel or other tabs and steal user names and passwords.

Is a firmware update enough or does it have to be combined with OS patching to be effective?

This is unclear since the firmware patch isn’t publically available yet. Early signs indicate that a firmware update has to be combined with OS patching.

Is this a CPU bug? If so, is a firmware update sufficient?

These are CPU bugs that are inherent to the design of processors built over the past 20 years. See my answer to the previous question about only updating firmware.

You mentioned that AMD is also affected. However, some media reports say that AMD is not impacted. Do you think AMD may soon admit that it has an issue, or is there a reason for the vendor to deny any risk?

Meltdown only affects Intel CPUs, is easier to exploit and poses greater risk. It’s also easier to mitigate against it. Spectre affects Intel, AMD and ARM CPUs. AMD is technically correct in saying that it’s not affected by Meltdown, but their decision to downplay the Spectre vulnerability is a marketing trick to bash Intel.

Some network security firms have developed signatures for detecting JavaScript exploitation of these attacks. Do you think these would be effective?

I doubt it. Obfuscating JavaScript is very easy. Network security firms will create a signature for the non-obfuscated version that will be used to demonstrate these attacks, but attackers will have a very easy time evading these detections.

Our environment is 80 percent virtual. What impact would Meltdown and Spectre have on virtual machines?

Patching your host could lead to performance degradation ranging from 5 percent to 30 percent. But performance degradation is very workload specific and really depends on your environment. We’ve seen machine increase their load by 20 percent on virtual environments, while others have shown almost no impact. Initial indicators show that the more I/O intensive your workload is, the more impact patching will have.

You mentioned that newer CPUs should experience minimal performance impact. Where can I find out if the CPUs in my servers are among those that will be impacted?

Intel CPUs from Haswell (fourth generation Core CPUs, v3 Generation XEON CPUs) support an extension called PCID (Process Context Identifier). This list from Intel shows which CPUs are Haswell. Any CPU with a newer number should have minimal impact.

If I patched the VMware hosts, do I also need to patch the guest Windows virtual machines?

Patching the host protects the host from malicious guests. Patching the guests protects the guest’s kernel from malicious low-privilege applications. The decision depends on your usage patterns. In general, patching is recommended.

Can you talk more about the news reports that Microsoft patches cause blue screens? Can we wait until Microsoft issues the next version of these patches?

The blue screens are mostly caused by third-party solutions  - particularly antivirus software that isn’t compatible with these changes - not Microsoft code. Here’s an analogy to better explain the situation: if the electric grid started transmitting power at 220 volts instead of 110 volts tomorrow, my TV will still fry even if the electrical company handled the transition perfectly.

This is the case here. The Microsoft patch does what it needs to, but Microsoft said the patch is delivered as “Inactive” and will only be activated if either turned on manually or automatically by the antivirus vendors. You can apply the patches now because they will not be activated until your antivirus vendor patches their software.

One important note: while Microsoft may place the responsibility on antivirus vendors, their programs are not the only applications running on your machines. Other software, such as DLP or copy-protection programs, could also blue screen when enabling these patches. I strongly recommend that the activation of these patches be done in a cascade while ensuring compatibility with existing software.

If I understand correctly, the Windows patch will be available on Jan. 9 with the next patch release. However, the prevention mechanisms will be inactive and must be turned on once antivirus compatibility is confirmed?

The patch is available now, pushed as an out-of-band update. It will not be activated by Microsoft and requires explicit activation from antivirus vendors.

Are there any problems with the Windows patch on/off state when migrating from one antivirus vendor to another?For example, uninstalling the default antispam software and using one that’s approved by the company?

Assuming that both antivirus programs support the patch correctly, there shouldn’t be a problem. If the removed antivirus software doesn’t support the patch, you should be fine. But if the antivirus program being installed doesn’t support it, you risk getting a blue screen

What is the common vector for those attacks?

These attacks are vector independent. We’ll likely see a lot of use in JavaScript-based malware.

Are there any solutions for an older Os?

There is no solution for older OSs. Microsoft said it will not back-port the patches to unsupported systems

What’s the risk level for medical machines that run proprietary software and never connect to the Internet?

This risk is relatively low. These exploits require the ability to run low-privilege code. Often times it’s difficult to know if a medical device is really at risk. With that said, I recommend talking to someone to make sure there’s really no ability to run this code. In general, given the attacks we saw last year (such as WannaCry), I strongly recommend fully patching medical devices and any other industrial device.

Both chip manufacturers and software vendors are releasing patches for Meltdown. Are both needed for total remediation?

Intel and Microsoft patches are needed to protect machines from Meltdown while vendor patches are needed to ensure that these patches are active.

Are virtual machines running on affected hardware susceptible within the virtual machine itself?

Virtual machines running on susceptible hardware may attack the host and read its content and potentially read content from other hosts. Virtual machines running on susceptible hardware are vulnerable to being attacked from low-privilege code running within the virtual machine.

Learn how Cybereason can help companies handle the fallout from Meltdown and Spectre.