Cloud

1/8/2018
07:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Meltdown, Spectre Likely Just Scratch the Surface of Microprocessor Vulnerabilities

There's a lot at stake when it comes to patching the hardware flaws.

The dust has yet to settle on the recent revelation of critical vulnerabilities in microprocessors in most modern computers worldwide, but it's already troublingly clear that fixing the problem isn't simply a matter of applying the latest vendor security updates.

Last week's disclosure by researchers from Google's Project Zero team and research teams from academia of the vulnerabilities in most Intel processors and in some AMD and ARM processors have left organizations scrambling to gather and track security updates available for their firmware, operating systems, and browsers. Given that operating system patches can incur significant performance hits – some experts are estimating up to 30% degradation for Linux and Windows platforms – there's a lot at stake in fixing the flaws.

The so-called Meltdown and Spectre hardware vulnerabilities allow for so-called side-channel attacks: in the case of Meltdown, that means sensitive information in the kernel memory is at risk of being accessed nefariously, and for Spectre, a user application could read the kernel memory as well as that of another application. So an attacker could read sensitive system memory, which could contain passwords, encryption keys, and emails – and use that information to help craft a local attack.

Meltdown and Spectre are especially vexing because the attacks take advantage of the design of the hardware itself, the so-called "out-of-order execution" performance feature in most modern processors that runs operations out of order to streamline and speed up processing. The timing differences of the operations, for example, can leak sensitive information from the kernel, and an attacker could use that information to then attack the system via another exploit.

The irony is that a feature meant to boost processor performance for now can only be fixed with software updates that can in some cases deplete performance. And experts say this pervasive security weakness not only has a long tail but is likely just the beginning of hardware vulnerabilities yet to be unearthed.

"I would be surprised if these particular issues were the only ones of this class of problems. Just digging a little bit, there appears to be a lot of space for" other microprocessor issues like this, says Dino Dai Zovi, a veteran security researcher and co-founder and CTO at Capsule8.

Patching is the only option to mitigate risk of a Meltdown or Spectre attack, but it's still not a perfect solution. Given that the basic design flaw lies in the microprocessor hardware, the software updates merely provide software mitigations for the attack. So there's still the chance the updates ultimately can be bypassed by an attacker, for example.

The US-CERT reiterated those concerns late last week in its Vulnerability Guidance alert: "Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases," the US Department of Homeland Security post said of the flaws, CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.

The security updates and patches are mainly workarounds and mitigations: a real fix would require a hardware do-over in the microprocessors, experts say. "In general, we think you have to wait until the new generation of processors will be introduced," says Max Goryachy, security researcher at Positive Technologies, which late last year discovered a buffer overflow in Intel's chip firmware that can be abused to take control of a machine even when it's powered down.

While future-generation chips may address the flaws, for existing systems it's all about patching. Yet, not all systems will get patched.

"What worries me," says Chris Pierson, CEO of Binary Sun Cyber Risk Advisors, is that "the wholesale underlying infrastructure vulnerabilities are so deep-seeded that they will remain with us for years to come."

Patching some systems may come with a price. Large organizations are now weighing their patching decisions based on risk and performance impact. Take the FS-ISAC, the financial services industry organization that shares threat intelligence among banks and other financial institutions, which said it's well aware of the possible performance and productivity hits and costs, as well as testing, for the processor patches.

"There will need to be consideration and balance between fixing the potential security threat versus the performance and other possible impact to systems," the FS-ISAC said in a statement last week. Cloud-based and shared, virtualized platforms, are likely to be more at risk than dedicated servers and endpoints.

William Nelson, president and CEO of FS-ISAC, says while Meltdown and Spectre "are a big deal," the good news is that it's a vulnerability discovery and has no known exploits in the wild as yet, which gives financial institutions some breathing room to assess and analyze their risk and any performance tradeoffs with patching.

"We are continuing to monitor" and share information about the vulns with our members, he says.

Greg Temm, chief information risk officer at FS-ISAC, says risk is always part of the equation when considering a new patch, as well as operational issues for production systems or applications. "You're looking at capacity as well," he says, and how a patched system will affect that.

"Most organizations are not operating their servers at 100% capacity every day, every minute. There's already built-in capacity to take in extra requests coming into the server, so there's already some buffer there," he notes. Segmented networks can help lower risk, he says.

"A lot of financial institutions employ multi-tier architectures so their most sensitive systems are protected with multiple layers of security so the outside world can't access those systems," Temm says.

Renowned security expert Dan Kaminsky expects any performance tradeoffs with security patches to be a temporary problem, however. "You're not going to see computers slow down to a crawl … You might see some temporary slowdowns as we figure things out," he says.

Kaminsky says Meltdown and Spectre ultimately will force a sea change in security. "What makes this bug really interesting is that it's really going to require rethinking how we implement security," he says. "The fundamental flaw is the leaky state" of security domains, he says.

Capsule8 late last week released a free tool to detect Meltdown exploits. "It's significantly easier to deploy, with less peformance impact" than remediation via a patch, Capsule8's Dai Zovi says. "We wanted to give people some way to measure protection while they rolled out patches, and while they made risk decisions."

The company this week released a more extensive detection tool for Meltdown and Spectre.

Meantime, in a bizarre twist last week, the Computer Emergency Response Team (CERT) at Carnegie Mellon University, which is sponsored by the US Department of Homeland Security, at first recommended removing the vulnerable hardware as the solution to the vulnerabilities. The CERT later deleted that guidance posted in its alert, replacing it with "Apply updates," and noting that operating system and "some application updates mitigate these attacks." 

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/10/2018 | 6:03:57 PM
Still just vulnerabilities
As bad as these out-of-sequence execution vulnerabilities are (and might prove to be), we saw more than enough monsterously bad cybersecurity breaches in 2017 - without the help of Meltdown, Spectre or any follow-on scenarios. 

We need something better than just chasing down vulnerabilities and patching, to approach any acceptable level of cybersecurity.  
PatrickH94102
50%
50%
PatrickH94102,
User Rank: Apprentice
1/9/2018 | 8:09:34 PM
Re: Another thing to consider
Yup BIOS updates have been a mostly ignored / de-prioritized security risk.  Some new security companies such as Eclypsium are working on BIOS integrity and version reporting & updating for enterprises.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
1/9/2018 | 1:09:33 PM
Re: Another thing to consider
Fortunately most BIOS updates are now operating system - installable items.  I remember the dead, long dead days of Compaq Deskpro with 3.5" floppy disk updates and heaven forbid you interrupt the BIOS load --- dead machine if you do that.  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
1/9/2018 | 10:49:36 AM
Re: Another thing to consider
Firmware updates are going to become a much bigger issue for IT and security folks now for more than just IoT devices. And servers obviously are a priority, so it's going to be interesting.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
1/9/2018 | 10:45:24 AM
Another thing to consider
BIOS - How many IT professionals regularly update the BIOS of their office systems?  My estimate is easy: never and knowing the threat landscape, there HAS to be vulnerabilities there as well. 
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.