On Wednesday, December 3, reports surfaced about a vulnerability in Intel CPU’s, allowing attackers, through manipulating someone to run code on a machine, to read system memory. This mechanism could be used, for example, to harvest secrets directly from memory. If you are a security aware person using a password manager, this could grab those passwords, hypothetically. And emails. And everything else. In the context of paravirtualized environments (cloud), where hardware is shared over thousands of customers, the implications cause light headedness amongst the most battle hardened security pro’s.
The vulnerability is dubbed “meltdown” after an initial, frustration inspired handle of “f*ckwit”. It breaks the isolation between the protected OS and the application layers. Its companion vulnerability “spectre” breaks isolation between applications. There’s one “meltdown” and two “spectre” vulnerabilities. It’s not only Intel, it’s pretty much all other architectures too. ARM and AMD are just vulnerable to one of the “spectre” ones. “Cumulative speculation” is mentioned. What does this mean?
DNS guru Bert Hubert described the issue as follows in a Dutch blog post later expanded on in a popular English post. “You’re cooking a meal and the recipe contains a condition: if there’s candy in the secret cupboard, then put butter in the pan. Because you read the recipe, you can check the secret cupboard, locate the candy. You now know the existence of a stick of butter and you can grab it.”
So, what’s the implication? And what’s relevant?
- Yes, pretty much every device it vulnerable, PC, Apple, Android. The one you’re reading this on, too.
- An attacker still needs to execute their attack payload on your device. Either through social engineering, exploiting other vulnerabilities, or using other tricks perfected by criminals over the last decade.
- No, you can’t do anything about it. It’s a hardware flaw, even if you could replace your CPU, CPU’s without the flaw don’t exist.
- Nice people at Microsoft, the Linux community, Android and Apple are coming to the rescue. They are as we speak testing OS workarounds. They will circumvent this issue at the cost of a performance degradation. These workarounds will release as an OS update as soon as today.
- So, update. In the coming weeks, tap the “search for update” button a bit more often than you usually did. In all fairness that’s all you can do. There seems to be some issues with some anti-virus apps and some updates, and we’re monitoring that space.
- The Catch 22 is you should be aware that pressing update might impact your performance. 5 to 30 percent is reported. If you’re running databases, cloud environments, real-time solutions, you might be between a rock and a hard place, and be forced to choose between performance & security. That said, many think the performance impact might not be too bad.
- And finally, just a few weeks ago we’ve had KRACK, an other big vulnerability in WIFI security, which was left mostly unpatched, and hardware flaw ROCA. You might have noticed the world hasn’t stopped turning and your mobile phone is still working. There’s 100s of thousands of unknown vulnerabilities, because they sit in stuff that works and no one has ever discovered them. As researchers are working around the clock, they’re bound to discover more of them. As OS developers are frustrated to be forced to work around hardware flaws we feel for them, but the important thing is they are discovered, an mitigated.
Yes, it’s worrying, arguably big and risky, it’s messy, but unless you’re a kernel security architect, you can’t do anything except worry for what the future holds. And our advice on this is: don’t. It’s a bumpy road we’re on, but the journey is rewarding.
SecureLink’s Matthew Carr spent some time trying to actually steal secrets using the proofs of concept available, kindly documenting his efforts, and creating a new PoC in the process. Turns out, at this time, there’s dozens of easier ways for criminals to get your stuff.