In the first days of 2018, a number of vulnerabilities were disclosed that are present in many modern day CPUs. In this blogpost we address the most frequently asked questions about Spectre and Meltdown with a focus on providing you with actionable guidance on what to do. This blogpost is additional to our webinar. Should you wonder what Spectre and Meltdown are, a great non-technical description was written by Bert Hubert .
What is the real-world impact of these vulnerabilities?
Spectre is more difficult to exploit in general in the context of a real attack, but keep in mind that browser exploits target the variant 1 of Spectre. Although more difficult to mitigate, as it requires CPU changes and changes to software, we don’t expect pure Spectre type of attacks to be commoditized and used. In short, in our view Meltdown is more worrisome than Spectre but can be easily mitigated.
Will attackers abuse these vulnerabilities?
These are the types of information an attacker might try to leak:
- Sensitive information. This could be anything, from passwords to credit card numbers to snippets of text.
- Secrets within memory. These could be used in follow on attacks or for privilege escalation. The most useful here could be passwords or private keys stored in memory, which could be used for privilege escalation.
- Information about memory structures themselves. This could be used in follow-on exploits. An example being, could be the ability to read memory for the purpose of overcoming defenses such as address randomization, increasing the chances of follow-on exploits on the same system.
We foresee that attackers can use these vulnerabilities in combination with already known attack techniques.. For most criminal purposes, other easier executed attack vectors are probably more effective. In the longer term, attacks using these vulnerabilities will certainly remain in use, but in isolated and more targeted cases.
What should my patch strategy be?
In general, we would advise on a three-step strategy:
- Take stock of systems with vulnerable CPUs
- Understand the impact of performance degradation
- Plan and apply patches, with a priority for Meltdown, as they become available
Take stock of systems with vulnerable CPUs
You only need to worry about systems that are based on CPUs that are vulnerable as a result of implementing speculative executionAccodingly, you should base your update strategy on an inventory of your systems. Now is a good time to add and verify CPU information to your Configuration Management Database checked against the following overview of vulnerable CPUs:
Other processors have not shown to be vulnerable, and in general more simple devices are not vulnerable because they simply don’t incorporate speculative execution in their CPUs. Don’t forget systems such as firewalls, malware analysis systems, virtual systems etc.
Understand the impact of performance degradation
Currently multiple patches have been or are being rolled out to address these vulnerabilities. These patches are applied at chip-level, the Operating System (OS) level and the application level. This results in a complex set of patches that need to be tested with your specific setup to determine if there will be a significant impact.
For some of the available patches it is already known that they have a performance impact, but the exact impact depends on the functionality of the application and the setup as deployed within your organization.
While the impact on individual end users’ systems can be managed as indicated above, server-side application of patches and application in virtualized environments deserve special scrutiny. Microsoft has released additional information on understanding the potential performance impact.
Plan and apply patches, with a priority for Meltdown
Meltdown is the variant of the new announced bugs, that is fixable by patches. Be sure to patch your system as soon as a patch is announced for your system. To prevent errors while patching, look for the right patch for your system. It is a good idea to back-up your system, so the system can be reverted to the earlier state in case of decreased capability or functionality of the system.
Be aware with Windows that – when you are using anti-virus software – there may be a chance that the patch will not install immediately when it’s available. This is because changes to the kernel that the patch makes may influence anti-virus software and cause issues right now, the patch will only install when a certain registry key is present on the system, created by anti-virus software. Alternatively, you could create this key manually if you are certain no problems will arise, or would want to test this.
For Linux and Apple, the standard update process will apply the correct patches.
Next to the officially announced Windows, Apple and Linux updates, microcode updates – also known as firmware updates – need to be performed. Microcode updates will modify the software that is programmed into the hardware of the system; the CPUs in this case, so first make sure to perform, or plan the microcode updates for your vulnerable systems before applying OS and application patches. In many cases it is not an update directly from the microprocessor vendor that you can update, but an update by a device manufacturer that includes a microcode update. The Intel microcode update, for example, does not fix the Meltdown or Spectre vulnerabilities by itself, they only offer new methods to help with a kernel-based mitigation. Thus, these updates are not very useful by themselves, but only in combination with a kernel update that knows what to do with the extra functionality. For a list of affected vendors, please check the following URLs, but in most cases the microcode updates are packed with the OS update.
In general, it will be the case that for both Spectre and Meltdown, both a microcode update AND a software update will be necessary to achieve the best possible protection. This is because the microcode updates, in general, do not completely prevent all exploits of speculative execution. In some cases, new interfaces will be available and it will be up to the operating system to make use of those new interfaces to achieve better protection. In other words: best mitigation is achieved with a combination of microcode and OS/application updates.
Finally, keep in mind that there are recent reports that the microcode updates can cause issues with other drivers or low level software. With that in mind, it remains important to test any update related to these issues, prior to roll-out.
Is there an overview available of the CPUs and devices impacted by Spectre or Meltdown?
Unfortunately, due to the wide variety of hardware that is impacted by these vulnerabilities there is no single overview of all the impacted CPUs or devices. The recommended course as action is to query your asset management inventory to obtain a list of all your devices and CPUs in use. Using this information, you can the check with the corresponding vendor to determine if your device or CPU is vulnerable to these vulnerabilities. The following vendors have already pro-actively published a list of impacted devices or products (this is not an exhaustive overview):
Additionally the US CERT has published a good reference of multiple vendors with their corresponding overviews:
Microsoft has released a PowerShell script to verify that the correct protections are enabled. Additionally an independent researcher has also released a tool to check the state of the software mitigations.
Can I prevent these attacks?
First, make sure that you have an update strategy to apply the patches that mitigate these vulnerabilities. Due to the nature of the vulnerabilities it is not possible to fully prevent the attacks. This means that mitigating the impact is an important factor to consider; for example by not co-hosting data of different classification levels on the same environment.
What is the impact of these vulnerabilities on my virtual environments?
You need to apply the corresponding patches at every layer of your virtual environment. Please also take into account that this also applies to containerized environments such as Docker and nested virtualization setups.
Do I need to take actions if cloud providers already deployed patches?
Yes, you need to take action to be sure the patches are also applied to your systems. At the very minimum, you need to verify that the patches applied by your provider also cover the services and machines you are using. In some cases, you need to apply patches yourself for your own infrastructure within their cloud solution. Other, more technical descriptions can be found on: