Author: ShadowSherlock
Editor: Devon Ackerman
UPDATE: March 2018
It seems we are nearing the end of the Spectre/Meltdown issues from a patch availability stand point.
INTEL
Patches for older versions of Intel Chipsets has been released – Haswell (4th-generation) and Broadwell (5th-generation). The performance hit will be about 10% to 20% for real world applications. Intel has also promised updates for the last generation of Core2 Duo chipsets.
All microcode updates are now being deployed by Windows updates, so as long as they are performing Windows patching this should not be too big of an issue.
https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates
Hardware changes to “fix” the vulnerability will first appear in the Cascade Lake processors which will start shipping in Q3 ’18.
https://newsroom.intel.com/editorials/advancing-security-silicon-level/
AMD
Specifically to address Spectre/Meltdown, Microsoft will also be issuing them through their Windows patching cycle.
https://support.microsoft.com/en-us/help/4073707/windows-operating-system-security-update-for-amd-based-devices
New AMD Chipset Exploits
BUT the drama continues with AMD… and things are getting decidedly worse. These are only being called “AMD Flaws”. Multiple NEW vulnerabilities were announced and the released within 24 hours.
Announcement: https://amdflaws.com/
Whitepaper: https://safefirmware.com/amdflaws_whitepaper.pdf
AMD Response: https://community.amd.com/community/amd-corporate/blog/2018/03/21/initial-amd-technical-assessment-of-cts-labs-research and https://www.amd.com/en/corporate/security-updates
3rd party Technical Review: https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/
UPDATE: February 2018
Intel has finally released patches for the Spectre 2 exploit these are for the Skylake, Kaby Lake, and Coffee Lake (6th, 7th, and 8th gen); as well as the X series and Xeon D processors. This does not address the earlier generations of the processors. Roughly these will be found in 2015 and older computers or computers that are in the mid to low market consumer computers. The older processor patch is still in development and will be released within the next month. It was prioritized that way due to industry refresh schedules and business impact.
RESOURCES
Update Announcement: https://newsroom.intel.com/news/latest-intel-security-news-updated-firmware-available/
Retpoline Whitepaper (PDF) – Intel: https://software.intel.com/sites/default/files/managed/1d/46/Retpoline-A-Branch-Target-Injection-Mitigation.pdf
Retpoline Whitepaper (blog) – Google: https://support.google.com/faqs/answer/7625886
UPDATE: January 2018 – #3
General Update
The following website is keeping track of most of the fixes (with a specific focus on their environment, but still a good resource and well laid out).
https://docs.ovh.com/fr/dedicated/information-about-meltdown-spectre-vulnerability-fixes/
This one is nice too, but clearly they are trying to sell other services (recommend that you turn on your ad and javascript blockers)
https://blog.barkly.com/meltdown-spectre-patches-list-windows-update-help
Even some patches that previously were released have been taken down for better solutions. Google apparently has a PoC fix for one vuln that has very little impact on performance.
Apple update
https://support.apple.com/en-us/HT208394
UPDATE: January 2018 – #2
MESSAGE
Reminder there are 3 exploits as part of the last announcement (Meltdown and Spectre – the latter are two bugs).
CVE-2017-5753: Known as Variant 1, a bounds check bypass
CVE-2017-5715: Known as Variant 2, branch target injection
CVE-2017-5754: Known as Variant 3, rogue data cache load
KEY ISSUES
This effects virtual environments and they need to be patched ASAP. AWS and Azure have already updated all of their cloud infrastructure. Clients will now have to patch their virtual machines. At this point (other than the tool Google has released) the fix that is expected from Intel should result in up to a 30% reduction in processor performance. Intel says it plans to have software and firmware updates available by January 12 to address the Spectre and Meltdown vulnerabilities in 90 percent of the affected processors sold since 2013. The flaws affect all processors sold for the past 20 years; Intel says that fixes for older processors will be available in the future. Many companies have issued advisories about the flaws.
MITIGATIONS
https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
All computers should have their BIOS upgraded as well as the OS and applications – this includes virtual machines. Recommend general security BP — patch systems quickly, network segmentation, etc. Constant monitoring of network activity and analysis of any irregular or unexpected traffic.
Microsoft Patch details
https://technet.microsoft.com/en-us/security/advisories
Jan 2018 Security Update
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/858123b8-25ca-e711-a957-000d3a33cf99
Intel Patch details:
https://newsroom.intel.com/news-releases/intel-issues-updates-protect-systems-security-exploits/
Macbooks
Apple has acknowledged that all Macbooks, iPads, iPhones are effected. Patches for iPads and iPhones were already released in late Nov /early Dec. They said a patch for the computers will be coming soon (few days): https://support.apple.com/en-us/HT208394
Other Similar Recent Exploits
Intel has had several big security bugs discovered this year. This article has a good overview of the issues and context.
http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-cve-2017-5689-intel-management-engine-vulnerability/
In late Nov there was a major Intel exploit was publicly announced: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086
And another one from the summer: https://security-center.intel.com/advisory.aspx?intelid=intel-sa-00075 and https://embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
UPDATE: January 2018
Official website (for all three bugs): www.meltdownattack.com
Original article: https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
Google Security’s take: https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
PoC exploit code: https://twitter.com/pwnallthethings/status/948693961358667777
Vulnerabilities
CVE-2017-5753: Known as Variant 1, a bounds check bypass
CVE-2017-5715: Known as Variant 2, branch target injection
CVE-2017-5754: Known as Variant 3, rogue data cache load
Mitigations
All chip manufacturers will be releasing a patches soon (no idea what they have been waiting for since June!) or Intel products they expect a 5% to 30% reduction in performance!
Summary
Meltdown
This is the big bug reported on Tuesday. It can be exploited by normal programs to read the contents of private kernel memory. It affects potentially all out-of-order execution Intel processors since 1995, except Itanium and pre-2013 Atoms. It definitely affects out-of-order x86-64 Intel CPUs since 2011. There are workaround patches to kill off this vulnerability available now for Windows, and for Linux. Apple’s macOS has been patched since version 10.13.2. Installing and enabling the latest updates for your OS should bring in the fixes. You should go for it. If you’re a Windows Insider user, you’re likely already patched. Windows Server admins must enable the kernel-user space splitting feature once it is installed; it’s not on by default. Amazon has updated its AWS Linux guest kernels to protect customers against Meltdown. Google recommends its cloud users apply necessary patches and reboot their virtual machines. Microsoft is deploying fixes to Azure. If you’re using a public cloud provider, check them out for security updates. The workarounds move the operating system kernel into a separate virtual memory space. On Linux, this is known as Kernel Page Table Isolation, or KPTI, and it can be enabled or disabled during boot up. You may experience a performance hit, depending on your processor model and the type of software you are running. If you are a casual desktop user or gamer, you shouldn’t notice. If you are hitting storage, slamming the network, or just making a lot of rapid-fire kernel system calls, you will notice a slowdown. Your mileage may vary. It also affects Arm Cortex-A75 cores, which aren’t available yet. Qualcomm’s upcoming Snapdragon 845 is an example part that uses the A75. There are Linux kernel KPTI patches available to mitigate this. The performance hit isn’t known, but expected to be minimal. Additionally, Cortex-A15, Cortex-A57 and Cortex-A72 cores suffer from a variant of Meltdown: protected system registers can be accessed, rather than kernel memory, by user processes. Arm has a detailed white paper and product table, here, describing all its vulnerable cores, the risks, and mitigations. Meltdown does not affect any AMD processors. Googlers confirmed an Intel Haswell Xeon CPU would allow a normal user program to read kernel memory. It was discovered and reported by three independent teams: Jann Horn (Google Project Zero); Werner Haas, Thomas Prescher (Cyberus Technology); and Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology).
Spectre (Actually two bugs)
Spectre allows, among other things, user-mode applications to extract information from other processes running on the same system. Alternatively, it can be used by code to extract information from its own process. Imagine malicious JavaScript in a webpage churning away using Spectre bugs to extract login cookies for other sites from the browser’s memory. It is a very messy vulnerability that is hard to patch, but is also tricky to exploit. It’s hard to patch because just installing the aforementioned KPTI features is pointless on most platforms – you must recompile your software with countermeasures to avoid it being attacked by other programs, or wait for a chipset microcode upgrade. There are no solid Spectre fixes available yet for Intel and AMD parts. In terms of Intel, Googlers have found that Haswell Xeon CPUs allow user processes to access arbitrary memory; the proof-of-concept worked just within one process, though. More importantly, the Haswell Xeon also allowed a user-mode program to read kernel memory within a 4GB range on a standard Linux install. This is where it gets really icky. It is possible for an administrative user within a guest virtual machine on KVM to read the host server’s kernel memory in certain conditions.
According to Google:
“When running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific (now outdated) version of Debian’s distro kernel running on the host, can read host kernel memory at a rate of around 1500 bytes/second, with room for optimization. Before the attack can be performed, some initialization has to be performed that takes roughly between 10 and 30 minutes for a machine with 64GiB of RAM; the needed time should scale roughly linearly with the amount of host RAM.” AMD insists its processors are practically immune to Variant 2 Spectre attacks. As for Variant 1, you’ll have to wait for microcode updates or recompile your software with forthcoming countermeasures described in the technical paper on the Spectre website. The researchers say AMD’s Ryzen family is affected by Spectre. Googlers have confirmed AMD FX and AMD Pro cores can allow arbitrary data to be obtained by a user process; the proof-of-concept worked just within one process, though. An AMD Pro running Linux in a non-default configuration – the BPF JIT is enabled – also lets a normal user process read from 4GB of kernel virtual memory. For Arm, Cortex-R7, Cortex-R8, Cortex-A8, Cortex-A9, Cortex-A15, Cortex-A17, Cortex-A57, Cortex-A72, Cortex-A73, and Cortex-A75 cores are affected by Spectre. Bear in mind Cortex-R series cores are for very specific and tightly controlled embedded environments, and are super unlikely to run untrusted code. To patch for Arm, apply the aforementioned KPTI fixes to your kernel, and/or recompile your code with new defenses described in the above-linked white paper. Googlers were able to test that an Arm Cortex-A57 was able to be exploited to read arbitrary data from memory via cache sniffing; the proof-of-concept worked just within one process, though. Google is confident ARM-powered Android devices running the latest security updates are protected due to measures to thwart exploitation attempts – specifically, access to high-precision timers needed in attacks is restricted. Further security patches, mitigations and updates for Google’s products– including Chrome and ChromeOS – are listed here. Discovered and reported by these separate teams: Jann Horn (Google Project Zero); and Paul Kocher in collaboration with, in alphabetical order, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61).
