As many of you have probably heard, the beginning of 2018 is off to a tumultuous start for cybersecurity with codenames Spectre and Meltdown. These vulnerabilities exploit a fundamental design feature in modern CPU architecture which allow for any process to access memory it isn’t supposed to have access to, including other processes and kernel memory. This affects almost all CPU chipsets on the market today (at the very least, every Intel CPU released since 1995).
What is vulnerable: It is important to realize that this is a hardware architecture exploit, and it affects most if not all of our systems, including workstations, servers, IoT devices, ARM devices, phones and tablets. Leveraging these vulnerabilities, it is possible for the attackers to gain access to anything stored in memory or even run executable code.
What hackers can gain: The highest risk seems to be related to attackers using these flaws to exfiltrate information from systems. The attacks could be used to grab passwords and account information that resides in memory. Anything in memory is a potential target, including cached passwords in the browser or in password management tools. (Note that this would be part of a multi-faceted attack involving brute-force offline attacks, but the point is that it is very feasible to do.)
Meltdown (Variant 3: rogue data cache load (CVE-2017-5754)) is extremely easy to exploit; the industry is scrambling to find methods to patch this. Apple has already patched the vulnerability in the MacOS December OSX patch (10.13.2), ARM has submitted patches to protect itself, the Linux kernel has also been patched, and Windows has submitted an emergency update. AMD claims that they are not vulnerable to meltdown due to architectural differences.
Spectre (Variant 1: bounds check bypass (CVE-2017-5753), Variant 2: branch target injection (CVE-2017-5715)) seems to be a much tougher issue to deal with and we may not see a patch in the near future. Many security experts argue that for Intel, patching it will require an entire rework of processor architecture. This means that if and when a fix comes, that fix will be ‘buy a new CPU that isn’t impacted by Spectre.’ That said, there will likely be workaround patches that try to make it harder to exploit. Fortunately, unlike Meltdown, Spectre is more difficult to exploit as it requires a high degree of in depth processor-specific knowledge.
What can be done:
Because of the breadth of systems affected, we strongly urge you to contact your suppliers, make sure that they are aware of this situation and ask them for their plans to address these two reported vulnerabilities. Awareness will be our greatest ally. Until patches and updated CPUs are released, the best way you can protect yourself is to follow some key best practices. Here’s what we reccommend:
- Verify proper architectural cyber segmentation. Separating the critical network from all other networks. Locking down any website access and limiting internet access to or from those trusted networks as much as possible. This is when good cyber security architecture protects us.
- Clear any stored passwords from browsers. If you allow the browser you use to keep passwords it is a good idea to stop doing that for now.
- Make sure you don’t reuse passwords! Accounts that have privileged access to important equipment should never share passwords with anything else.
- Do not go to sites you do not already trust on workstations. Usually a good idea, but again, very important until patches are released.
- Firefox: NoScript
- Chrome: ScriptSafe
- Apply patches as soon as they are released. Not a good idea to wait on this one.
Be alert and stay safe!
The SecuLore Support Team