1/05/2018 Update: Apple announced late in the day on 1/4 that its products are vulnerable. Its most recent versions of iOS 11.2.1 and macOS 11.12.3, released before this vulnerability went public, included some fixes. Apple is still working on further updates and will release them at an unspecified time in the future.
The dawn of the new year brings with it a pair of new designer vulnerabilities, Meltdown and Spectre, which affect virtually any CPU made after Intel’s original Pentium CPU, regardless of what operating system it runs.
What is Meltdown and Spectre?
Modern CPUs use a trick called speculative execution to speed up processing. When there is a branch in program code, the CPU runs both possibilities at once, then discards the one it didn’t need. Meltdown and Spectre use different tricks to find data from those discarded results and access memory that they normally wouldn’t be able to access.
An attacker could use this to steal passwords or credit card numbers, or in the case of cloud infrastructure, steal data from virtual machines belonging to other customers. In cloud environments, it is possible to read data belonging to the hypervisor or other virtual machines.
The biggest problems occur on Intel CPUs. CPUs from AMD and ARM are susceptible to a smaller number of more complex attacks, but still must be considered vulnerable. In enterprise environments, Intel CPUs are far more common than AMD or ARM.
Why should you care?
Almost any computer made in the last 22 years is vulnerable to one degree or another for this. These vulnerabilities have received a tremendous amount of coverage, even bleeding into the mainstream press, so everyone from customers to board members have likely heard about this and are concerned.
What can you do?
First, don’t panic. So far there are no reports of reliable exploits circulating in the wild. Operating system vendors are releasing patches as we speak. Spectre is difficult to mitigate at the CPU or operating system level, so browser makers are attempting to mitigate it at the browser level, since browsers are both an effective attack vector and an attractive target.
Scan your network with a proven vulnerability scanning solution. Check your results for CVEs CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754, and check your web browser versions to build an inventory of patches that will need to be deployed and where. For best results, ensure you are scanning your entire network with authenticated scans. Vendors will be releasing updates through the end of January, so keep in mind, this is a moving target.
Chrome, Edge, Firefox, and Internet Explorer all received updates this week. Chrome will receive another update by January 23. Safari, Opera and Vivaldi will receive updates on or before January 31. Additionally, Google recommends enabling site isolation in Chrome. Opera and Vivaldi have the same feature. This setting is in chrome://flags/#enable-site-per-process.
If your vulnerability management platform is capable of scanning your mobile device management solution, scan your MDM solution as well to ensure your Android devices are running the January 2018 update from Google, and your iOS devices are running iOS 11.2.1 from Apple.
Microsoft released out-of-band updates for this, but its patch has issues with many third-party antivirus solutions. Unless you have other information direct from your antivirus vendor, GuidePoint Security recommends waiting until Monday for your antivirus vendor to catch up. On Monday, push the update to your antivirus client, then start pushing Microsoft’s update.
Patch in a controlled, prioritized fashion. Workstations and cloud infrastructure are the most critical, as they are most susceptible to attacks. Servers running on hardware you control are much more difficult to exploit, so they can be in your later round of patching. If possible, patch a test environment first so you can monitor for performance impact, as servers that do large amounts of I/O, such as database and web servers, can experience performance degradation of 20 or even 30 percent. Google and Intel have experimental mitigations to help with these degradations in the long term. However, these fixes will require recompiling code so these changes will take time to appear.
After patching, be sure to follow up with subsequent vulnerability scans. GuidePoint engineers have observed Microsoft’s patch giving false error messages that suggest the patch failed when, in fact, it had succeeded. Your vulnerability management solution has more thorough checks that can validate the patch actually succeeded. Microsoft is working on an update for this patch to fix the error messages.
If you cannot update all of your browsers, consider updating one browser and limiting general web access to one particular browser at your proxy server until you are able to update all of the browsers in your network. Please note that technologies like Microsoft EMET and Malwarebytes Anti Exploit, while very useful against certain types of exploits, are not able to protect your browser against Spectre and Meltdown.
GuidePoint Security is here to help
GuidePoint’s cybersecurity advisors have years of experience managing vulnerabilities in enterprise environments. We can help you ensure your vulnerability management solution is correctly sized for your environment, and our Virtual Security Operations Center (vSOC) Identify Team can even run your vulnerability management program for you. Learn more at www.guidepointsecurity.com.
Dave Farquhar, vSOC Analyst at GuidePoint Security, is a Cyber Security professional who has worked in the field for 8 years with Vulnerability Management, Policy Compliance, and Incident Handling as his main focuses. Dave most recently managed accounts for 30 large customers at a major vulnerability management vendor, where he helped his most successful clients reduce their vulnerability counts by 50 percent. Prior to moving to security, Dave specialized in remediation management on the infrastructure side of IT. Dave has a Bachelors degree in Journalism from the University of Missouri as well as holding CISSP and Security+ certifications.