Modern CPUs design flaw causes privileged memory leak

Modern CPUs design flaw causes privileged memory leak

DearBytesAlertsModern CPUs design flaw causes privileged memory leak

What is going on?

Security researchers have published a set of vulnerabilities that affects the majority of modern processors. These vulnerabilities reported as “Spectre” (CVE-2017-5753 and CVE-2017-5715)  and “Meltdown” (CVE-2017-5754 ) allow an attacker to access protected data. Mayor operating system such as Linux, Windows and macOS have been working on protections against these vulnerabilities. DearBytes advises customers to apply available patches however there are indications that the mitigations might have a significant impact on performance.

Why is this important?

Operating systems (OS) such as Windows, Linux and macOS implement security mechanism to isolate every program running in a system. The OS’s memory space is hidden from other programs because it may contain sensitive data, such as passwords and login credentials. These vulnerabilities endangers this isolation allowing an unprivileged program to access information protected by the operating system. Moreover, in a cloud environment this could lead to the violation of the Virtual Machines (VM) isolation, in other words it could be possible to access information of a VM from another one.

Who does this apply to?

This design flaw is assumed to be present in the majority of Intel, AMD, and ARM processors released in the last decade. Since the vulnerability is in the hardware level all mayor operating systems (Windows, Linux and macOS) are affected.  Including Laptops, Desktops, Servers, Appliances, Virtual Machines, and Virtual Machine Hosts.

The vulnerabilities require local code execution, this could allow an attacker to escalate privileges. While both Meltdown and Spectre can significantly increase the impact of an existing vulnerability, neither one is sufficient on its own to compromise a system. There currently no indication that attacker could leverage these vulnerabilities for remote code execution purposes. However, as confirmed by Mozilla, it is possible for an attacker to steal private information via an special crafted website.

For systems that are running on top of Vmware ESXi technology further patches are needed as specified in their security advisory.

For ARM devices, this article provides more information about the impact of the disclosed vulnerabilities as well as the possible mitigations.

What can you do?

System administrators are recommended to apply the latest security updates to all their systems. However it is important to mention that the performance impact of the new protection scheme has been estimated to be up to 30%. The impact hardly depends on the task being executed and the CPU model.

For Linux, Windows and macOS operating systems, security patches are already available. Moreover, Microsoft has provided in this security advisory  a powershell module to verify if the mitigations are enabled. However this mitigations may incur in compatibility issues with some anti-virus that issue unsupported calls to the operating system. More info about the issues can be found in this article.

For systems that are protected with McAfee security solutions, the software vendor has published a security article in which they provide a list of the software that has already been tested and “no compatibility issues with the Microsoft update have been found so far”. Moreover, they instruct how to enable windows updates by adding a registry key manually or via Active Directory.

Update: Automatic remediation for Meltdown and Spectre is available via a custom EEDK is availble via KB90180. Starting with the January 10th DAT (3221.0) updates for Endpoint Security (ENS) 10.0.2 and later, the registry key will be automatically updated for customers who receive their DAT updates through ePolicy Orchestrator (ePO).
Please note starting with the January 12th DAT (8772), customers who use VirusScan Enterprise (VSE) 8.8 and receive their DAT updates through ePolicy Orchestrator (ePO) will have the registry key automatically updated.

Since the Spectre vulnerability is a challenging issue to solve via software, more patches will be released in the future to cover more operating systems and to further improve the protection mechanisms.

Fortinet has released new client versions, that will set the registery setting on installation. Older versions might be supported, but will not update the registery key.

What has DearBytes done?

At DearBytes we are conducting and internal investigation to identify the vulnerable security appliances and systems that are managed by DearBytes.

For more information:

Update 4/1/18 , 14:30 :

Information about Meltdown and Specter was added as well as more detail information about the impact and mitigations.

Update 5/1/18, 10:00 :

Add information about McAfee anti-virus compatibility with Windows security patch.

Update 11/1/18, 16:00 :

Add information about McAfee anti-virus compatibility deployment via custom EEDK and regular update proces and Forticlient support information.

Update 12/1/18, 10:00 :

Added information about McAfee Virusscan Enterprise