SPECTRE and Meltdown To patch or not to patch?..and HOW (Guest Diary)
Last Updated: 2018-03-15 03:58:05 UTC
by Johannes Ullrich (Version: 1)
This is a guest diary by Joshua Barton
A New Old Threat
The revelation in January 2018 of a vulnerability affecting modern processors was seen as a catastrophe. In some regards, perhaps it was. Aspects of SPECTRE and Meltdown touched processors from Intel, AMD, and ARM going back for two decades. Intel, however, was affected by all aspects of the issue and seemingly touches a proportionally larger group of Enterprise computers and servers. Given that the flaw has existed for over 20 years, it can be assumed that it has been used by sophisticated threat actors for quite some time.
A more thorough description of the issue with white papers and video of the exploit in action can be found at this site: https://meltdownattack.com/.
The CVSS scoring for the SPECTRE/Meltdown vulnerabilities is 5.6 on the CVSS v3.0 scoring methodology.(1) A 5.6 is considered a medium level issue. While it warrants attention, it’s not a time to drop everything and run for the hills. At the time of release, there were multiple other vulnerabilities with higher CVSS scores. Despite the score of 5.6, US-CERT issued a formal alert on 1/4/18 and strongly recommends deploying updated microcode as soon it’s available and tested. (2)
This is not the first processor flaw discovered. Intel released advisories and firmware updates twice in just 2017 for vulnerabilities in the embedded Management Engine technology. Roughly 30 years ago, Intel had to recall a number of x86 processors due to a multiplication error. Companies such as HP, Dell, Lenovo, Acer, and Toshiba take the firmware and place it into a BIOS update, management engine update, or another chipset update that is specific to their hardware. Typically several such updates are released per year. More later on what is in all these updates.
Sometimes things are just HARD!
Despite having six months to work the problem, Intel was forced to release their firmware updates a week ahead of a planned coordinated global announcement.(3) The vulnerability had been discovered by a second group and released publically to the media, forcing the hand of the chip giant. The first set of firmware updates that were released were seriously flawed. Many were caught off-guard. Several OEM’s were not looped into the embargo, governments were not made aware (including the US Government, where Intel resides.) Microsoft incorporated a partial firmware update into the Windows operating system and Linux incorporated it into a Kernel update. Microsoft placed a complex test in place due to incompatibilities with nearly every antivirus package on the market.
Numerous warnings of performance issues were being given by the various manufacturers. Depending on the workload, a slowdown of 1-30% was possible.(4) Such a slowdown could be very expensive for businesses and cloud providers that run large virtualization farms. A few days after the massive rollout began, serious problems were being encountered. Computer system crashes were becoming quite common. A week later Intel started broadcasting to not install its update…resulting in OEMs reversing the update and issuing new BIOS updates that used the previous microcode. Microsoft pushed an out-of-cycle update to disable the new microcode in Windows and Linux removed the microcode completely.
Intel released a statement that they had determined the source of the crashing and began work on a new set of microcode updates for its chips. Starting with the more modern chips and working backward, new updates began appearing in February. OEM’s incorporated the changes and began releasing updates roughly a week after Intel. As of this writing, roughly 30% of the Intel-based platforms have an update available for them with more streaming out daily. There have been no reports of crashing this go around; however, adoption is likely slower than previously as the crashing issue will have a delirious effect on the speed at which large corporations roll these updates out.
What’s in a BIOS or Firmware Update?
BIOS and firmware updates more than half of the time contain a fix for a security relevant issue. Other fixes range from blank screens, performance, power consumption, fan speeds, etc. A common model for both HP and Dell were reviewed. This focuses strictly on Firmware/BIOS and ignores the hundreds of driver updates that likely also have security implications.
Taking a look at the updates released for the HP ProBook 650 G1 for the last 2 years(5):
There have been 15 BIOS updates released for this model.
BIOS 1.43A – Intel SPECTRE Microcode fix version 2
BIOS 1.42A – Restored previous Microcode from 1.40A
BIOS 1.41A – REMOVED Included the Microcode for SPECTRE
BIOS 1.40A – UEFI Security Update (UEFI is used to ensure a secure boot process and prevent rootkits)
Intel Management Engine Firmware Component 22.214.171.12402A – Unauthenticated system takeover over WIFI
BIOS 1.39A -- UEFI Security Update (UEFI is used to ensure a secure boot process and prevent rootkits)
Intel Management Engine Firmware Component 126.96.36.19924A – Unauthenticated system takeover
BIOS 1.36A -- UEFI Security Update (UEFI is used to ensure a secure boot process and prevent rootkits)
Taking a look at the updates released for the Dell Precision 7510 (a common business laptop) (6)
There have been 18 BIOS updates released for this model.
BIOS 1.15.4 – Intel Management Engine Firmware, unauthenticated system takeover, SPECTRE, UEFI
BIOS 1.14.4 – Trusted Platform module fix(encryption keys), Intel ACM update (unauthenticated system takeover), Various bugs
BIOS 1.13.5 – Bootguard bypass issue, System hangs, crashing
BIOS 1.12.4 – Intel Management Engine Firmware – unauthenticated system takeover, TPM flaw preventing bitlocker
TPM 1.2 188.8.131.52 – Encryption Key compromise
BIOS 1.10.7 – No security content
BIOS 1.9.5 – Windows 10 security causes reboot issues, Intel Management Engine
BIOS 1.8.3 – No security content
BIOS 1.7.3 – No security content
BIOS 1.6.6 – No security Content
BIOS 1.5.4 -- No security Content
BIOS 1.4.14 – Intel CPU Microcode update
BIOS 1.3.12 -- No security Content
BIOS 1.3.10 – Intel CPU Microcode update, Intel Management Engine Firmware
How to update
For an individual consumer, updating is obviously done on a one-at-a-time basis. Most OEMs bundle an updating program that compares the device’s model or serial number to an online database that directs it as to what updates are valid. It then assists with the download and installation of the updates, including the firmware. No need to call the computer guy.
For businesses, it’s a little trickier. Business models frequently come with enterprise features such as AMT or VPRO turned on. Generally, you would never want to automatically update a server as you want complete control over what installs and when. Some updates are not as critical as others and the risk of downtime outweighs a risk of compromise. As we have seen with the recent SPECTRE and Meltdown flaws blindly installing updates can result in significant performance and stability issues.(7) Business may also have many thousands of endpoints which also need updating. Allowing each device to phone home and self-update is generally not practical for three reasons: the bandwidth consumption of that many devices phoning-home at the same time would be catastrophic, any sort of phone home is considered a risk for many businesses, and business, in general, have not divested control of what update gets installed vs skipped to the OEMs. The trend has started to pull control away from businesses with Microsoft’s Windows 10 support model only offering cumulative updates (negating the ability to skip an update)
The automatic updating utilities for computers are targeted towards personal use, not shipping with business models, and in most cases not supported on those models. Of course, there is the tried and true direct installation, one at a time, in person, on the machine. However, Firmware and BIOS updates from the OEMs accept command-line based arguments to do everything from making them silent, delay the reboot, force an install, run an inventory, or log the activity so that updates can be pushed via various methods such as login scripts or your favorite software deployment tool. Additionally the major vendors have released administration toolkits specifically for businesses to update and manage firmware and BIOS in their environments.
HP, for example, has released two centralized management methods.(8)(9)
The HP BIOS configuration utility has been around for a number of years and allowed you to create a “golden” BIOS configuration include the BIOS password and system ownership along with deploying of the BIOS update. (10)
Since 2013, HP has also published a utility called the Client Integration kit. The client integration kit integrates with an SMS/SCCM server to deploy BIOS “golden” config files, firmware, and driver updates. It can be configured to operate automatically or with manual intervention.
In Mid 2017, HP renamed the utility to the Management Integration Kit and continued to add features, and in early 2018 released version 2.0 of the SCCM add-on. In the later version, you can not only push updates but also adjust individual settings in BIOS and update the TPM chips.
For its part, Dell released the Client configuration Toolkit from 2003 through 2013.(11) Starting in 2014, the toolkit was renamed to the Dell Command and Configure (DCC). While updates can be delivered using SCCM, Dell has opted to maintain its own management console for DCC. (12)
Both HP and Dell have published a catalog for WSUS/SCCM of all drivers and firmware based on the model. After implementing the System Center Updates Publisher (SCUP), catalogs for these vendors will appear alongside any Microsoft updates. It’s just a matter of selecting them for detection and deployment; packaging is not required.(13)
Is it safe to update BIOS and firmware “over the wire”?
Generally speaking, it is safe to remotely deploy BIOS and firmware updates. The OEMs have gone through the efforts to streamline the process and make tools available to do just that. It’s actually in the OEM’s best interest to make this as safe as possible. Botched BIOS or firmware updates could render a machine dead and subject to a warranty claim. In most cases, modern computers contain two copied of the BIOS. This is in place in case one copy gets corrupted (such as a power failure during updating). The computer can still boot off the untouched version and you can restart the update process. Most failures that occur these days is from forcing an incorrect firmware or an actual hardware fault.
Asking the question a different way, is it SAFE to ignore a security update such as the Firmware for SPECTRE and Meltdown? The adage, “If it ain’t broke, don’t fix it” does not really apply to a security vulnerability means it actually IS broken…just not from the end user standpoint.
Processor flaws are not unique. Intel has had a long history of flaws and subsequent updates required to mitigate. Over the past year, Intel has had to come to terms with three separate disclosures about security flaws in its processors that could lead to a remote system takeover or the divulging of sensitive information. While Intel has had the worst of the press on the issue, all processors are subject to these kinds of flaws.
SPECTRE/Meltdown are fairly serious vulnerabilities that when exploited can’t be detected and do not leave a trace. It is speculated that they have been utilized by advanced hacking groups such as nation/state for years without detection. Now that fixes are out along with detailed whitepapers it is a foregone conclusion that this attack vector is being leveraged. OEMs, Microsoft, Intel, and the US Government are all strongly encouraging installation of the firmware fixes and settings required to close the vulnerability.
Tools exist from the major vendors to aid in the deployment of BIOS and firmware updates along with regular driver updates, the majority of which are released due to a security or performance flaw.
Given the overwhelming coverage of these vulnerabilities, urging from multiple credible sources, and the total lack of ability to determine if an attack against SPECTRE/Meltdown is underway or has occurred it is the position of the author that deployment of BIOS, Firmware, Operating System, and Driver updates that address these specific security flaws should be deployed in a fairly urgent manner. Other updates beyond SPECTRE/Meltdown should be reviewed and a determination based on risk made. Tools that facilitate deployment to large numbers of devices are freely available from the OEMs and should be made available to support the cybersecurity mission.
- NIST National Vulnerability Database; https://nvd.nist.gov/vuln/detail/CVE-2017-5754
- United States Computer Emergency Response Readiness Team https://www.us-cert.gov/ncas/alerts/TA18-004A
- The Verge; Keeping SPECTRE Secret, Jan 11, 2018; https://www.theverge.com/2018/1/11/16878670/meltdown-spectre-disclosure-embargo-google-microsoft-linux
- Tech Crunch; Kernel panic! What are Meltdown and Spectre, the bugs affecting nearly every computer and device? Jan 3, 2018; https://techcrunch.com/2018/01/03/kernel-panic-what-are-meltdown-and-spectre-the-bugs-affecting-nearly-every-computer-and-device/
- HP Probook 650-G1 Support Page; https://support.hp.com/us-en/drivers/selfservice/hp-probook-650-g1-notebook-pc/5405400
- Dell Precision 7510 Support Page; http://www.dell.com/support/home/us/en/19/drivers/driversdetails?driverId=P5JC8