CVE-2017-5753 — CVE-2017-5715
What are Meltdown and Spectre?
Meltdown and Spectre are a set of critical vulnerabilities found in the design of processors dating back to 1995. Both vulnerabilities were discovered independently and announced together to allow vendors to develop and distribute patches.
Meltdown, the more serious of the two, allows an attacker to break the isolation between applications and the operating system. This allows a success exploit to access memory for other programs, exposing sensitive personal data such as passwords. This is due to the way these processors are designed to optimize performance by technique known as “speculative execution”.
Spectre, the more complicated issue that is both harder to exploit and complex to fix breaks the isolation between different applications. This tricks programs, which are secure and error-free, in leaking of sensitive data.
What are the differences?
Exploiting meltdown allows applications to access memory that was previously isolated which causes information leakage, while exploiting Spectre will trick an application into accessing sensitive areas of its own memory, or potentially others.
Who is affected?
Due to the exploit existing in the design of the processor, nearly all devices dating back to 1995 are affected by the bugs. Intel and ARM processors are affected by both Meltdown and Spectre, while AMD processors are only affected by Spectre. Meltdown can be patched at an operating system level, adding checks against the bug at the cost of some performance. Spectre is a more difficult vulnerability to patch due to it affecting applications. Operating System vendors have introduced patches to mitigate Spectre, but applications will also need to be patched to avoid exploitation.
Recommendations for Meltdown and Spectre
Many operating systems and application vendors are releasing relevant updates to address these two vulnerabilities. It is critical that all affected systems are discovered and patched. Due to the complexity of Spectre, longer term fixes and direct firmware patches may be required. It is important to ensure that your organization have a vulnerability management program, and continue to ensure that all operating systems, applications and browsers are updated. To help reduce potential attack surface and exploitation, we also recommend the use of browser plugins such as AdBlocker and NoScript.
Major Cloud providers (Azure & AWS) have patched almost all virtual instances with Kernel Page table isolation (KPTI) and Google (GCP) has come up with a different patching approach (Retpoline) that protects against these vulnerabilities with negligible impact to performance.
Windows (Microsoft Security Advisory)
Windows updates are available through an out-of-band security update issued on January 3rd 2018.
Please note that some major Anti-Virus programs may prevent the Windows Update from being downloaded. It is also important to verify if it was installed correctly. Microsoft has also provided PowerShell scripts to validate your systems after patching.
A kernel patch has been developed to mitigate the vulnerabilities and it has been implemented by major Linux kernel vendors. Due to the substantial number of Linux distributions, its important to verify with the vendor if the patch has been implemented.
The Android Team has added mitigations to the January 2018 security patches
Apple has released mitigations in the following software versions:
iOS 11.2, macOS 10.13.2, and tvOS 11.2
References and Links: https://spectreattack.com , https://www.trustedsec.com/2018/01/meltdown-spectre-welcome-2018-walkthrough/ , https://www.bleepingcomputer.com/news/microsoft/how-to-check-and-update-windows-systems-for-the-meltdown-and-spectre-cpu-flaws/
Ensuring your security is our priority at ElevatedPrompt. If you have any questions or concerns regarding this vulnerability or have any cybersecurity concerns and questions, please reach out to your ElevatedPrompt account representative or email us at [email protected]