The new year started off on a big bang with the revelation of two related, critical flaws – Meltdown and Spectre - affecting the underlying integrity of CPU processing of instructions on Intel, AMD, and ARM-based CPU systems running Linux and Windows. This includes most modern containers running SaaS applications in public and private Cloud instances, and the application, network infrastructure servers, PCs, laptops, tablets and mobile phones used around the world today.
Some claims indicate all Intel processors made since at least 2011 are affected, while others say the flaws stretch back to all such processors from 1995 onwards are susceptible to the exploits. Both of the flaws are documented in the common Vulnerability and Exploit databases in CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.
As the detailed description of each flaw, documented by the original security researchers, makes clear, the two classes of exploits – Meltdown and Spectre – share common methods, but their uniqueness means that each is amenable to very different fixes or workarounds, with very different implications.
Meltdown is a covert channel involving access to kernel memory page tables and the fix for this involves patches to what is known as the Kaiser algorithm for randomizing access to kernel page tables. This workaround is what is being tested for delivery by providers today and the fix will likely slow down some of the processing on patched systems.
Spectre on the other hand is a fundamental design flaw in the processing of look-ahead prediction for out-of-order instruction sequence execution that occurs in almost all modern CPU architectures. The workarounds for this flaw will involve two very different approaches, as follows: 1) a potential nearer-term fix that is a year or more away that delivers new microcode delivered to market via patches and 2) and longer-term fix that is five years or more away delivering newly fabricated CPU silicon wafers encapsulating logic not susceptible to Spectre’s side channel attacks.
What to expect and what to do? Microsoft announced an out-of-band security patch for the Meltdown exploit on Windows just yesterday - January 3, 2018. Google delivered similar workarounds for Meltdown on some of its flagship phones, and plans to deliver similar workarounds for its Chromebooks shortly. Expect Microsoft and Google to both announce fixes for Google Cloud and Microsoft Azure shortly. Although Amazon has not yet announced its plans, enterprise IT leaders relying on AWS for some workloads should contact Amazon for guidance regarding fixes to AWS containers if it is not forthcoming in the coming week. IT leaders should look to its other master brands – Cognizant, Dell EMC, HCL, IBM, Oracle, SAP, TCS, Unisys, Wipro, etc. – for guidance about when Meltdown will be patched.
Because the covert channel flaws of Meltdown affect nearly all digital processing, it will also be imperative for IT operations leaders to take the following actions:
- Accelerate the deployment of patches for the Meltdown exploit for critical digital business processes
- Accelerate and track third-party IT service processors – Cloud, IT outsourcing, managed services – fixes for Meltdown
- Be aware that some processing slowdowns may occur due to Meltdown fixes and adjust SLA schedules if and as appropriate
The covert channel flaws of Spectre are not amenable to a fix in the near term, whether via new microcode or new chips; such fixes are a year or more away. During this time, the digital business of the enterprise is at a heightened risk, especially to well-funded and well-armed criminal and State actors. Unfortunately, proof-of-concept exploits for Spectre and Meltdown are easily accomplished in a day or less. And so far, published proof-of-concept attacks have been conducted by “white hats.” Black hats with evil intentions can – and probably already have – replicated the same exploits and presumably have or will shortly unleash new attacks from command and control servers.
Actions that should be taken today to guard against Spectre by enterprise IT leaders include the following:
- Reduce attack surface with phishing detectors and sandbox email services, ad-blockers, site isolation, Java-script disabling and Web-browser isolation on web browsers
- Ramp-up the detection of lateral movement using analytics on SIEM-flows and automated network isolation techniques
- Ramp-up the deployment of the detection of lateral movement by digital deception with its built-in traps and isolation methods