Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Spectre and Meltdown: What You Need to Know Right Now - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Spectre and Meltdown: What You Need to Know Right Now

By now, you've heard about the processor vulnerabilities affecting almost every processor in common use today; those vulnerabilities are called Meltdown and Spectre. The only common platform that seems unaffected as of the current moment are iPhone/iPads (Removed per recent advisory).This bug is probably worth its name and logo considering the pervasive nature of the vulnerability. At its core, both involve kernel issues that can lead to leaking running memory outside the current process which can involve compromises of system confidentiality (think encryption keys, passwords, PII/NPI in memory, etc). Contrary to some initial reporting, this is NOT just an Intel bug, it affects AMD and ARM processors as well. These could even be used in cloud / virtualized environments to leak memory outside the running virtual machine. It involves a flaw in "speculative execution" common in these processors where, in the right conditions, code can trick the processor in leaking data returned from other applications.

Below are advisories of most of the relevant companies. The patches should be considered preliminary to protect against the most obvious paths to this vulnerability, but future patches are likely planned to deal with the potential significant performance hits from these patches and for better mitigation coverage. Spectre, in particular, will require follow-on patching. Due to the nature of these patches, reboots will be required. So in the short term, patch and reboot everything.

  Link
Intel  Security Advisory    /      Newsroom
Microsoft  Security Guidance
Amazon  Security Bulletin
ARM  Security Update
Google  Project Zero Blog
MITRE  CVE-2017-5715   /     CVE-2017-5753    /     CVE-2017-5754
Red Hat  Vulnerability Response
SUSE  Vulnerability Response
CERT  Vulnerability Note
VMWare  Vulnerability Advisory
Apple  Security Advisory

The good news is patches are out for almost everything (Microsoft has moved up their monthly patching up a week to today, more on that in a different post). The bad news is, Spectre, in particular can't be completely mitigated by patching as it seems it will require a hardware fix. The good news is that Spectre is harder to exploit.

Firefox's initial testing has shown it is possible to trigger these flaws remotely via web content, so devices that browse the web or execute external content are particularly vulnerable (in particular, malware sandboxes are of a concern to me here which by design are unpatched operating systems). Otherwise, you have to find some way to execute code on the victim machine. The bad news is, the fixes can slow down your devices with some initial (disputed) reporting of an up to 30% performance hit to the CPU.

IoT devices are, again, of particular weakness. They run these same processors but as we know, most consumers never use whatever limited interface to update the devices even when it is necessary, and in this case, more than one update cycle may be required. The best mitigation may be to put these devices in the snow in the street in front of your house and let the plows take care of them. For most IoT devices, getting code running on the device that exploit these flaws will be non-intuitive but that will vary by device. My biggest concern is that someone uses this vulnerability in a controlled environment to find flaws in specific IoT devices (or even default passwords), to create the next Mirai.

So while the advice is "patch now", the problem we will be grappling with is the performance hits (this will be brutal for cloud vendors especially if it's on the scale of 30%) and the follow-on disruptive patching this will require in the coming months.

No known exploitation for this is occuring in the wild, but that will change in the next few days. This dairy will be updated as the situation warrants.

UPDATE 1536 UTC (Bambenek) - Microsoft is actually filtering systems that have not certified compatability with the updates, that means if you are running an anti-virus / endpoint product Microsoft have listed as "safe" you will not get the update. This is designed to prevent BSOD issues. Working on trying to find a good listing of which products are "safe" or not.

UPDATE 1625 UTC (Bambenek) - Microsoft is only releasing the update for these vulnerabilities early, and then only for a partial subset of Windows Operating Systems.

UPDATE 2017-01-05 1700 UTC (Bambenek) - Added Apple advisory, iPhone/iPad devices are affected via Safari/web-browsers.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Fidelis Cybersecurity

John

248 Posts
ISC Handler
IoT devices go on a dedicated VLAN in my home network, and don't get permission to talk to strangers.

The IP cameras I use can't even talk to the Internet, they can only respond to RSTP requests to my NVR.

None of them are permitted on my internal network, even if I allow them full access out.
JasonTracy

4 Posts Posts
Let the plows take care of them LOL. Best line of the day.
Alan

57 Posts Posts
Can you update this to include VMware?

https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html
0x2A

2 Posts Posts
[removed - no longer relevant]
Anonymous
Posts
Microsoft is apparently only releasing this update early (not everything for the January window), and only for Windows 10/Windows Server 2016.
Anonymous
Posts
I thought that "Meltdown" only affected Intel and some ARM processors, and AMD was not affected by it? Only "Spectre" was completely cross-platform? Or has that changed?
Darron Wyke

20 Posts Posts
See this for information in "safe" AV engines

https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

The link was found in this article

https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw
rstrom

4 Posts Posts
The filtering that Microsoft is doing is for AV products.
@gossithedog has started compiling a list of AV status here > https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0

Also, I read this article to say that just patching servers won't be enough. You'll also need to enable the protection.
https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s
Anonymous
Posts
A great source of AV product statuses can be found here, thanks to Kevin Beaumont (@GossiTheDog):

https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?usp=sharing&sle=true
Jeremiah

1 Posts Posts
Any word on when Microsoft will be releasing new chips with hardware fixes?
Anonymous
Posts
At least for Symantec AV, they recommend to update to ERASER Engine 117.3.0.358 (or greater), after that, KB patch applies without problem.
If you don't. you will see "Product Error requires attention" and the SEP system tray icon to report "There are multiple problems (2)".
https://www.symantec.com/connect/forums/latest-win10-update-corrupts-sep14
Anonymous
Posts
..and just to add that affects all Windows OS servers and SQL Servers, some patches are still not released...

Read more here:
https://answers.microsoft.com/en-us/windows/forum/windows_10-security/meltdown-and-spectre-vulnerabilities-intel-chip/ead3f25e-6c55-4359-9cd9-5be87cbe7b4f
Anonymous
Posts
Even after updating the ERASER engine, the tray icon problem still exists...

"After updating the ERASER engine to 117.3.0 and applying Microsoft Update KB4056892, the Symantec Endpoint Protection (SEP) system tray icon reports there are multiple problems. No errors are reported if the SEP client UI is opened."

https://support.symantec.com/en_US/article.TECH248552.html
K-Dee

65 Posts Posts
Just great.

"The best mitigation may be to put these devices in the snow in the street in front of your house and let the plows take care of them" is starting to look possible.

Anyway, at least the "Meltdown and Spectre" Vulnerability names are soooooo cool.
Anonymous
Posts
.. if you still haven't got enough, more vendors are addressing this issue:

Amazon
AMD
Android
ARM
CentOS
Chromium
Citrix
F5
Google
Huawei
IBM
Intel
Lenovo
Linux
Microsoft Azure
Microsoft Windows
NVIDIA
OpenSuSE
Red Hat
SuSE
Trend Micro
VMware
Xen

Link to Vendor Patch Information from the National Cyber Awareness System:
https://www.us-cert.gov/ncas/alerts/TA18-004A
Anonymous
Posts
McAfee released the following list of products being confirmed as compatible.
Data Loss Prevention 9.4 and later
Endpoint Security 10.2 and later
Drive Encryption 7.0 and later
Host IPS 8.0 Patch 9 and later
McAfee Agent 4.8.3 and later
McAfee Application Control 8.0 and later
McAfee Active Response 1.1 and later
McAfee Client Proxy 1.2 and later
System Information Reporter (SIR) 1.0.1
VirusScan Enterprise 8.8 Patch 9 and later
Anonymous
Posts
I found this spreadsheet that's being updated with supported anti-virus applications. Thought of sharing since this will be helpful.
https://docs.google.com/spreadsheets/d/184wcDt9I9TUNFFbsAVLpzAtckQxYiuirADzf3cL42FQ/htmlview?sle=true#gid=0
IsuruSam

1 Posts Posts
All Mac systems and iOS devices are affected.
https://support.apple.com/en-us/HT208394
Anonymous
Posts
Am I reading the MS guidance on servers correctly. Doesnt it say that even after applying patches the server is not protected unless you also "switch it on" by setting registry keys?

in the "Recommended actions" section of article:

https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution

it says:

1.Apply the Windows operating system update

2. Make necessary configuration changes to enable protection.

3. Apply an applicable firmware update from the OEM device manufacturer.


This is very confusing. Do I need to set the keys in the registry or not??
Paul

12 Posts Posts
That KB confuses me as well. I think I understand that you need both the patch and the registry keys, but the "FeatureSettingsOverrideMask" is listed with a value of "3" for both enabled & disabled in the examples.. I wonder if that is a typo or factual?

-Joel
Joel B

8 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!