5 January 2018 | 0
Well, what an absolute mess with which to start the year.
The industry started back to work after the festive season only to find that the largest processor maker has a serious flaw in its chips that affects most of what it has made for the last decade.
If you have been under a rock for the last few days, here is a quick recap.
An unexpected flaw has appeared in Intel’s microprocessor architecture that can allow speculative execution of commands to be exploited to allow what was thought to be secure memory, to be accessed and read.
The flaws, now being dubbed Meltdown and Spectre come in three variants that can be exploited to extract, although at very low volumes, data from what was thought to have been secluded memory spaces, meaning that kernel memory might be readable by user applications.
The extent of the hardware affected has led to one extreme, though logically sound, piece of advice from the US-CERT: “replace the CPU”. This of course begs a refrain from that old song: “With what, dear Liza, with what?”
And that is an interesting point.
While the Google Project Zero team that discovered this flaw initially stated that AMD chips were susceptible, it has now emerged that this may not be the full story.
Project Zero said:
“So far, there are three known variants of the issue:
- Variant 1: bounds check bypass (CVE-2017-5753)
- Variant 2: branch target injection (CVE-2017-5715)
- Variant 3: rogue data cache load (CVE-2017-5754)”
Breaking down as:
- Spectre (variants 1 and 2)
- Meltdown (variant 3)
In story from IDG, Andy Patrizio of Network World, writes:
“AMD has minimal if any exposure and said so, despite Intel saying it is at risk. Even though AMD came up with 64-bit extensions, which Intel licenses, the two firms implemented their 64-bit architectures in completely different ways.
The difference is AMD’s chips do not do speculative loads if there is the potential for memory access violations. They do not load data beyond the branch point, so no predicting is done. Intel does the exact opposite. It is more aggressive in its use of branch prediction and it bit them.”
Indeed, AMD’s own official statement says:
- Variant One: Bounds Check Bypass
Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.
- Variant Two: Branch Target Injection
Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
- Variant Three: Rogue Data Cache Load
Zero AMD vulnerability due to AMD architecture differences.
Now ARM is not so lucky, it would appear, but still, the above is not good news for Intel.
However, most operating system and application vendors concerned have already issued patches, many of which are being applied automatically.
But a major implication seems to be for highly virtualised and multi-tenant environments. That is most enterprises.
IBM’s Security X-Force blog on the subject says:
“This vulnerability is considered an important flaw for complex infrastructures and cloud deployments and must be addressed to prevent potential future impact.
“Since this flaw impacts all modern microprocessors, it can affect any device that uses them, including multiple operating systems running on mobile devices, laptops, workstations and servers.
“It is important to note that to exploit this vulnerability, a malicious actor would need to execute untrusted code on the physical system or on a virtual machine linked to that system. This may include running content from webpages loaded in web browsers or accessed through mobile apps.”
Paul Ducklin, senior technologist at Sophos, to whom TechPro has spoken in recent times, said via the Naked Security blog:
“Patches are coming soon, at least for Linux and Windows, to deliver KAISER: Kernel Address Isolation to have Side-channels Efficiently Removed, or KPTI, to give its politically correct name.
“Now you have an idea where the name KAISER came from: the patch keeps kernel and userland memory more carefully apart so that side-effects from speculative execution tricks can no longer be measured.
“This security fix is especially relevant for multi-user computers, such as servers running several virtual machines, where individual users or guest operating systems could use this trick to “reach out” to other parts of the system, such as the host operating system, or other guests on the same physical server.
“However, because CPU caching is there to boost performance, anything that reduces the effectiveness of caching is likely to reduce performance, and that is the way of the world.
“Sometimes, the price of security progress is a modicum of inconvenience, in much the same the way that 2FA is more hassle than a plain login, and HTTPS is computationally more expensive than vanilla HTTP.”
In Ducklin’s opinion, organisations will have to “take one for the team” in terms of performance hit in these kinds of enterprise environments.
Ducklin goes a little further though, particularly on the subject of appliances:
“So far as we know at the moment, the risk of this flaw seems comparatively modest on dedicated servers such as appliances, and on personal devices such as laptops: to exploit it would require an attacker to run code on your computer in the first place, so you’d already be compromised.
“On shared computers such as multiuser build servers or hosting services that run several different customers’ virtual machines on the same physical hardware, the risks are much greater: the host kernel is there to keep different users apart, not merely to keep different programs run by one user apart.
“So, a flaw such as this might help an untrustworthy user to snoop on other who are logged in at the same time, or to influence other virtual machines hosted on the same server.”
Again, this all sounds appalling for anyone in a public cloud environment.
Nicole Perlroth who covers cybersecurity for the New York Times, via Twitter, said:
“The most visceral attack scenario is an attacker who rents 5 minutes of time from an Amazon/Google/Microsoft cloud server and steals data from other customers renting space on that same Amazon/Google/Microsoft cloud server, then marches onto another cloud server to repeat the attack, stealing untold volumes of data (SSL keys, passwords, logins, files etc) in the process.
“Basically, the motherlode. Meltdown can be exploited by any script kiddie with attack code. Spectre is harder to exploit, but nearly impossible to fix, short of shipping out new processors/hardware. The economic implications are not clear, but these are serious threats and Chipmakers like Intel will have to do a full recall— unclear if there’s even manufacturing capacity for this— OR customers will have to wait for secure processors to reach the market, and do their own risk analysis as to whether they need to swap out all affected hardware.”
Now all of this is utterly panic inducing, but the combination of the fact that the extraction rates appear to be very low, with one infosec pro estimating it to be in the region of about 100MB per day, that it would be difficult to get the crown jewels out in such an exploit. However, someone could get lucky and find critical credentials that allowed access to further resources within such a haul.
Another consideration, though, is that to get as far as implementing one of these exploits requires running malicious code directly on a server, even if that is after breaking through various layers of security and segmentation. As one sardonic commentator said, if you are impacted by one of these exploits then you’ve a lot more to worry about than a flaw in a processor.
What to do
In terms of what to do, the advice is disappointingly familiar — take the usual precautions and patch as advised by your vendors. Few will be in a position to take the US-CERT advice and simply replace, but cooler heads are now prevailing as more is known and understood.
Firstly, our own Brian Honan offers some very good advice and a round-up here, but this is just any number of recourse, with others referenced above, that all follow the same rough outline.
Read the material, understand the issue. Then examine your own estate and know your exposure. Patch what you can immediately, make a plan of action for how tackle the rest and proceed on a risk-based priority.
And don’t feel bad if the top of your head gets hot reading all of this.
A chap called Joe Fitz on the Twitter machine said he worked for Intel, and …
I have 2 degrees in computer HW. I worked @ Intel on the product security team. I was already familiar w/ #spectre & #meltdown background research. But I still had to re-read the new disclosures multiple times to fully understand it. Don't feel bad if it doesn't make sense yet.
— Joe Fitz (@securelyfitz) January 4, 2018
So there we go. Don’t beat yourself up too much.