Meltdown, Spectre patches: where to start and what to expect
Now that we have all exhausted ourselves running around screaming that the sky is falling over the Meltdown and Spectre vulnerabilities, we have still got jobs to do: enterprises to secure, management to placate, shareholders to handhold, and corporate security governance to, er, govern.
The sky is falling, to be fair, but only a little bit. The Meltdown and Spectre speculative execution security vulnerabilities affect pretty much every piece of silicon in your enterprise, with the possible exception of very old or low-end devices that offer only in-order execution on chip. (Raspberry Pi, anyone?)
You cannot patch the silicon, either. Even the KAISER/KPTI kernel patches (for Meltdown) and Google’s proposed retpoline mitigation (for Spectre) don’t alter the underlying silicon. US CERT’s humourless, now-deleted advice to replace all affected chips indicates the severity of the problem.
Dealing with these extraordinary low-level vulnerabilities may seem overwhelming, but it’s important to keep things in perspective. Enterprise users are still at risk of the same old malware, ransomware and phishing attacks as before. If you’ve exercised the meticulous due diligence a sound security posture demands, then you need only tweak a few sliders to accommodate this new threat. If you haven’t staked out a sound security posture—hello, Equifaxes of the world—then now might be a really good time to start.
Because there is more to dealing with these hardware bugs than just patching.
Patch ’em if you got ’em
Workstations, laptops, in-house servers, smart phones, tablets—they are all affected. The good news is, if these devices are running a supported operating system, patches to mitigate these issues have already been deployed with further tweaks to come in the future. Devices running iOS, MacOS, recent versions of Windows, and Google Pixel/Nexus Android devices can be secured with little fuss. That is the good news.
The bad news is twofold. Older, unsupported operating systems (looking at you, XP) will not be getting patches, nor will most mobile devices more than a few years old. Android users not on a Google-manufactured device are basically hosed.
Worse, Spectre can be exploited remotely via web browser. Something as trivial as malvertising can attack an employee’s browser to steal session cookies or other credentials, and lead to greater network exploitation.
Browser vendors have already shipped, or soon will ship, security patches to mitigate the Spectre vulnerabilities. Install them. In addition, Chrome has also published a novel mitigation called Site Isolation, which further sandboxes individual sites within the browser.
Network monitoring helps
Few enterprises are agile enough to test and deploy out-of-cycle security patches from one day to the next, and many companies continue to rely on legacy devices that may no longer be supported, or for whatever reason are simply unpatchable.
That is where network monitoring comes into play. “Outside of having a strong vulnerability and patch management program, you can mitigate the risk through stringent monitoring and detective controls,” James Carder, CISO of LogRhythm, says.
The sky is falling, but only a little bit, and a good umbrella will help.
Hypervisor escape considered harmful
Some more good news, of a sort. The Meltdown vulnerability poses the greatest threat to cloud infrastructure, because it makes possible hypervisor escape. An attacker with a trial AWS account could, in theory, escape the guest virtual machine (VM) and harvest credentials, among other sensitive data, across the cloud instance.
That is as bad as you think it is. However, all the major cloud vendors have patched, which means while you may experience a small performance slowdown (more on that later), your outsourced cloud infrastructure is secure from this bug—at least for now.
What about your private and hybrid clouds? Prioritise patching your hypervisors, especially in shared tenant situations where the other guests might be untrustworthy.
What about that performance hit?
Early media reports speculated at a performance hit as high as 30%, and while some edge cases may experience a slowdown that extreme, according to benchmarks by Phoronix, most users will see a performance hit that’s much lower, in the 5 to 10% range.
If you are doing a cost/benefit analysis on whether to patch or not based on the performance hit, you should probably just patch. Our sources suggested the edge cases where it might make sense not to patch are few and far between.
“Consider what data would be potentially exposed by not patching,” Kenna Security CTO Ed Bellis says. “If you have, for example, a workload with a lot of context switching that may heavily impact performance, consider whether or not the data is completely public or not. If there’s any reason to believe making this data public would have adverse affects on these machines,” he says, “then ultimately you’ll need to patch.”
You will also need to be prepared to defend against new ways to exploit the speculative execution vulnerabilities—perhaps even new classes of hardware bugs in the future.
More hardware security flaws
Side channel attacks on hardware are not new. Hardware security researchers, in academia, industry and, presumably, at secret three-letter agencies, have known about such attacks for a decade and more. The widespread public attention the Meltdown and Spectre vulnerabilities are getting will only push more researchers to look for ways to exploit logic flaws in silicon. So why now? What is different?
“Software is actually improving,” former Intel engineer and hardware security trainer Joe Fitz says. “It is a lot harder to spot a software vulnerability today than it was ten years ago, and even harder to exploit those software vulnerabilities.”
As a result, he explains, this drives security researchers down the stack. “Interest is moving down to the hardware, which is, in some regards, an easier target.”
The difference in malleability between hardware and software, however, means that we are going to be living with fundamentally broken silicon for a long time to come. Software can be patched and deployed comparatively easily, but no matter how trivial enterprise patching might be, the impossibility of following US CERT’s advice means our world, our lives, and our businesses are going to have to rely on broken silicon for many years to come.
Designing, manufacturing and shipping a fix to existing chipsets will take years, Fitz says. Experts have publicly suggested 2020 as the earliest ship date for silicon free of these particular vulnerabilities to hit the market. To design a new CPU?
“You’re talking a decade,” Fitz says.
Hardware attacks float like a butterfly and sting like a bee, while the chipmakers are still sluggishly pulling on their gloves. That is not likely to change anytime soon. “We have not seen the end of this type of bug,” Fitz says.
IDG News Service