As you may have heard in the news, computer researchers have recently discovered a design flaw that results in a security vulnerability in the CPU chip that powers nearly all the world’s computers, including PCs, smartphones, and data center computers. This hardware bug allows malicious programs to steal data that is being processed in the computer memory. The name given to these vulnerabilities is ‘Meltdown’ for Intel chips or ‘Spectre’ for AMD and ARM chips. The first reports were published on January 2, 2018, prior to a coordinated disclosure scheduled for the week of January 8. There is no evidence of exploitation at this time, but the publicly disclosed proof-of-concept (PoC) exploit code could result in the vulnerabilities being weaponized for malware delivery.
Spectre and Meltdown are in a vulnerability class referred to as `speculative execution side-channel attacks.’ These attacks exploit performance optimizations used by modern CPUs to access protected memory. Basically, the main chip in most modern computers—the CPU—has a hardware bug. This design flaw has been present since the 1990’s. Normally, applications and the operating system are isolated from each other, so data is not accessible. This hardware flaw breaks that isolation, creating a significant risk of malicious actors gaining access to the encryption keys or passwords stored in a password manager, browser, emails, instant messages, donor information, and the like.
Cloud servers could be significantly impacted if an attacker exploits these vulnerabilities to break out of a guest virtual host or container. It may also be possible to deliver exploit code via drive-by download to extract information from a victim’s web browser. At this time, limited practical demonstrations of these attack vectors actually exist.
These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVEs):
- CVE-2017-5753: Bounds check bypass (SPECTRE)
- CVE-2017-5715: Branch target injection (SPECTRE)
- CVE-2017-5754: Rogue data cache load (MELTDOWN)
Intel, AMD, ARM, Microsoft, Google, Apple, Amazon, and other technology vendors are releasing software updates to mitigate the risk stemming from these vulnerabilities, but long-term solutions will require re-engineering of the vulnerable processor architectures. Third-party analysis of vendor security updates notes potential performance impact under some circumstances and workloads, as well as conflicts between the OS patches and some software that has significant interactions with the kernel (e.g., antivirus and endpoint security solutions).
What should you do about this?
Updates and patches are needed for all computers, servers, and other equipment with a CPU. There will most likely be patches for your antivirus software, your operating system software, workstation software, and firmware patches to physical machines themselves. The full patch analysis and patch cycle may take some time because some of the vulnerable component patches are not yet available. Microsoft Azure and Amazon AWS are already in the process or have already patched customer systems hosted on those respective platforms.
CTU researchers strongly advise a phased approach to updating vulnerable systems. Once the patches are available, organizations should follow standard best practices for testing updates on systems that match the production environment and should test a subset of updated systems with a representative workload before widely deploying updates in production environments. Databases or systems with high levels of I/O activity may be most significantly impacted. Organizations should also contact cloud service providers to confirm that platforms that store or process corporate data are updated, especially for shared hosting or infrastructure-as-a-service providers”
In the meantime, we recommend that organizations be extra vigilant, and communicate awareness of these vulnerabilities across your organization so that security stays at the top of mind.
If you would like to learn more about these or any other potential threats to your organization's security, feel free to leave a comment below or send our security team an email!
Why Online Business Systems?
Online’s reputation is built around the collaborative approach we take when working with our clients. We work closely with you to gain a thorough understanding of your business model, critical data flows and repositories, network architecture, and systems/applications that support the business as well as any regulatory and compliance obligations you may have. This allows us to perform a thorough assessment of your security posture and more importantly, puts us in a position to make recommendations that align with your business, your culture, your people, and your technologies. The end goal of our Security Program Management offering is to make a security program that is sustainable for your business and right sized to your company.