We’ve met the new year forced to remain on our toes: Three new attack vectors have been documented by security researchers and while all three are to be discussed, the most important attack vector to focus on has been aptly named Meltdown. There are a plethora of news channels covering the particulars about the threats, but what do we really know about them, beyond speculation? Here are some of the more important questions with solid answers you can get a grip on (instead of having a Meltdown…sorry, couldn’t help it)
- What are these Meltdown and Spectre vulnerabilities I have heard about?
Meltdown and Spectre are security vulnerabilities which enable malicious software to access data in memory that should be protected by the intrinsic hardware security measures built into the CPU chip. Meltdown is the vulnerability to be concerned about. Spectre is a much less important threat and you should focus your attention on Meltdown. You will find a lot of noise on the internet relating to Spectre because the Meltdown vulnerability affects only one CPU vendor, Intel.
Spectre, on the other hand, is a theoretical attack on almost any modern CPU (ARM, Intel, AMD, PowerPC etc). Understandably, Intel would like to deflect attention away from Meltdown. However, you should focus on this vulnerability as it is far more important.
- So what’s the Meltdown threat?
The CPU hardware is supposed to prevent an unprivileged task (such as the browser, or word processor etc) from reading highly privileged memory which belongs to the operating system kernel. The Meltdown exploit circumvents this hardware-level security to read the privileged kernel memory. The attack can be conducted from a web browser, making it extremely hard to detect. On a single-user PC this is mainly a threat because sensitive credential information may reside in kernel memory and an attacker could obtain this and then use it to launch further attacks.
On a PC shared by many users this is an even greater threat because the ‘walls’ between users that the CPU hardware is supposed to enforce are compromised. As a result, particularly in a multi-tenanted cloud environment, a rival company could acquire sensitive information on a competitor, or steal credentials or other valuable intellectual property. In addition, of course, an attacker could, without leaving any trace in the victim’s environment, steal information.
- How do I protect myself against meltdown?
There is a patch for Windows 10 build 1709 rolling out now. You would have to be at this level (i.e, the so-called ‘creator’s update’) to receive the patch currently. Patches for other versions of Windows are also being rolled out and should be available shortly. There are also patches for various Linux kernels, including Ubuntu
- Is there a risk in applying the patch?
Unfortunately, yes. Apart from incompatibilities with some anti-virus software, there are reports that some software products fail after the patch is applied. In particular, we have been notified that there may be problems with SCCM and/or SQL Server. The risks for client PCs may be somewhat less. However, this is definitely a patch to be applied cautiously and in conjunction with careful testing.
Additionally, the patch may impose performance overhead on disk I/O and possibly networking. At this stage, preliminary testing by 1E appears to indicate that random 4K disk I/O reads may degrade by between 10-15%. However, this testing is preliminary and we cannot be certain that in certain environments there may be more significant degradation.
- What is the situation regarding virtualized environments?
At this stage, the situation is somewhat unclear. To be entirely safe you should probably plan on patching both the host and each guest OS.
- Does this vulnerability only affect Windows?
Unfortunately not. It is intrinsic to the design of the Intel CPU and affects all operating systems running on the platform, including Linux, Solaris and other operating systems.
- Is there a mitigation other than applying a patch?
Yes. AMD devices are not believed to be vulnerable to the meltdown threat. Therefore, migrating to an AMD server should mitigate the issue, without the need to apply the patch.
- If the patch is applied, does it affect both AMD and Intel processors?
Yes. This also means that the same performance overhead will occur on a patched AMD server. However, it is apparently possible to disable the patch via some registry keys. Note that we have not tested this at this stage. Linux installations also support a configuration setting which will disable the patch for AMD devices.
- How can I confirm the patch has applied?
There is a PowerShell cmdlet you can install and run to verify the protection status of a device. Check here for more information.
- Can I download the patch and install it manually?
Yes. The patch is available here for Windows 10. Note that you will need to already be running build 1709 (the so-called ‘Creator’s update’) prior to applying this patch. Patches for other versions of Windows are expected to be available from Microsoft shortly.
- Which Intel chips are vulnerable?
With the exception of a few Atom models, almost every Intel chip manufactured in the last decade or so will be vulnerable to this issue.
- How on earth could this happen?
It appears that Intel made a design decision many years ago, that means that privileges are checked in some circumstances only after data has been read into the processor’s cache memory. As a consequence, although privileges are checked before the data is then made available to the caller (i.e in main memory), the transient existence of data in the cache can be inferred using so-called ‘side-channel’ attacks, which measure the time it takes to retrieve data. As a consequence, an attacker can deduce the contents of memory that the attacker has no right to access.
AMD apparently make the check prior to caching the data and hence are not vulnerable to the attack. We will keep you updated as the rest of the mysteries of Meltdown and Spectre unfold.