legal contact
 

Meltown - Spectre

Most of the information here has been taken from the great page at: https://meltdownattack.com/
Read the technical Spectre Paper or the Meltdown Paper.

Abstract

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre

Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.

Sopce

THe scope is the workaround of the kernel memory randomisation that is available in allmost all modern operating systems running on the major processors. From the time of this writing (3rd Jan 2018) Intel processors are in the main scope of this vulnerability, but even AMD and ARM's are affected. - So, almost any computer system must be seen as vulnerable.

A deeper look can be taken into each vendor information from the below list:

Vendor Status Date Notified Date Updated
AMD Affected - 03 Jan 2018
Apple Affected - 03 Jan 2018
Arm Affected - 03 Jan 2018
Google Affected - 03 Jan 2018
Intel Affected - 03 Jan 2018
Linux Kernel Affected - 03 Jan 2018
Microsoft Affected - 03 Jan 2018
Mozilla Affected - 03 Jan 2018

Risk

In general an attacker being able to execute code with user privileges can achieve various impacts, Such as reading otherwise protected kernel memory and bypassing KASLR. This might as well be done through a java programm sitting on a web page. Although this is not seen up to now.

Test

You can use the PoC-files provided in the lower chapter to test if your system is vulnerable.

Microsoft has recently provided a PS to test the vulnerability of your Windows machine, thanks to Andy-Bentley that made it easier to use.

Get the file here and execute:

 
powershell.exe -noprofile -executionpolicy bypass -file .\SpeculationControl.ps1
After deploying the MS patches:

Other Tools:

There have been Rapid7/Nexpose and Tennable/Nessus plugins been released to check the vulnerability of a system.

 

Mitigation

For the time until everything is patched, one could use NoScript for Firefox or ScriptSave for Chrome to control the script that are running in your browser.

Fix

Install the appropriate patches provided by the diferent vendors. (from below list)

Vendor

Link

Intel  Security Advisory    /     Newsroom    /     Whitepaper
ARM  Security Update
AMD  Security Information
RISC-V  Blog
NVIDIA  Security Bulletin   /    Product Security
Microsoft  Security Guidance    /     Information regarding anti-virus software    /     Azure Blog    /     Windows (Client)    /     Windows (Server)
Amazon  Security Bulletin
Google  Project Zero Blog    /     Need to know
Android  Security Bulletin
Apple  Apple Support
Lenovo  Security Advisory
IBM  Blog
Dell  Knowledge Base   /    Knowledge Base (Server)
HP  Vulnerability Alert
Huawei  Security Notice
Synology  Security Advisory
Cisco  Security Advisory
F5  Security Advisory
Mozilla  Security Blog
Red Hat  Vulnerability Response   /    Performance Impacts
Debian  Security Tracker
Ubuntu  Knowledge Base
SUSE  Vulnerability Response
Fedora  Kernel update
Qubes  Announcement
Fortinet  Advisory
NetApp  Advisory
LLVM  Spectre (Variant #2) Patch   /    Review __builtin_load_no_speculate   /    Review llvm.nospeculateload
CERT  Vulnerability Note
MITRE  CVE-2017-5715   /    CVE-2017-5753    /     CVE-2017-5754
VMWare  Security Advisory   /    Blog
Citrix  Security Bulletin   /    Security Bulletin (XenServer)
Xen  Security Advisory (XSA-254)   /    FAQ

Questions & Answers

Am I affected by the bug?

Most certainly, yes.

Can I detect if someone has exploited Meltdown or Spectre against me?

Probably not. The exploitation does not leave any traces in traditional log files.

Can my antivirus detect or block this attack?

While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.

What can be leaked?

If your system is affected, our proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.

Has Meltdown or Spectre been abused in the wild?

We don't know.

Is there a workaround/fix?

There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre .

Which systems are affected by Meltdown?

Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether ARM and AMD processors are also affected by Meltdown.

Which systems are affected by Spectre?

Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.

Which cloud providers are affected by Meltdown?

Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.

What is the difference between Meltdown and Spectre?

Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and  Spectre)

Why is it called Meltdown?

The bug basically melts security boundaries which are normally enforced by the hardware.

Why is it called Spectre?

The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.

Is there more technical information about Meltdown and Spectre?

Yes, there is an  academic paper and  a blog post about Meltdown, and an  academic paper about Spectre. Furthermore, there is a Google Project Zero blog entry about both attacks.

What are CVE-2017-5753 and CVE-2017-5715?

CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

What is the CVE-2017-5754?

CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

PoC (prove of concept)

From https://github.com/turbo/KPTI-PoC-Collection get win.asm and win.cpp.

From ErikAugust the spectre.c

To the honor of:

Who reported Spectre?

Spectre was independently discovered and reported by two people:

Who reported Meltdown?

Meltdown was independently discovered and reported by three teams: