Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. Malicious programs can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs obtaining passwords, logon details and what was once thought to be secured information.
Meltdown and Spectre work on personal computers, mobile devices, and in the Cloud – AWS, Azure, and other 3rd party Cloud / IaaS Providers.
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an un-patched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.
Information on the vulnerabilities:
Current known list of affected vendors and their respective advisories and/or patch announcements below
||AWS-2018-013: Processor Speculative Execution Research Disclosure
||An Update on AMD Processor Security
||Android Security Bulletin—January 2018
||HT208331: About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
HT208394: About speculative execution vulnerabilities in ARM-based and Intel CPUs
||Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
||Securing Azure customers from CPU vulnerability
Microsoft Cloud Protections Against Speculative Execution Side-Channel Vulnerabilities
||Actions Required to Mitigate Speculative Side-Channel Attack Techniques
||cisco-sa-20180104-cpusidechannel – CPU Side-Channel Information Disclosure Vulnerabilities
||CTX231399: Citrix Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
||Debian Security Advisory DSA-4078-1 linux — security update
||SLN308587 – Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products
SLN308588 – Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)
||K91229003: Side-channel processor vulnerabilities CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754
|Google’s Project Zero
||Reading Privileged Memory with a Side-Channel
||Security Notice – Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design
||Potential CPU Security Issue
||INTEL-SA-00088 Speculative Execution and Indirect Branch Prediction Side Channel Analysis Method
||Lenovo Security Advisory LEN-18282: Reading Privileged Memory with a Side Channel
||Security Advisory 180002: Guidance to mitigate speculative execution side-channel vulnerabilities
Windows Client guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
Windows Server guidance to protect against speculative execution side-channel vulnerabilities
SQL Server Guidance to protect against speculative execution side-channel vulnerabilities
Important information regarding the Windows security updates released on January 3, 2018 and anti-virus software
||Mozilla Foundation Security Advisory 2018-01: Speculative execution side-channel attack (“Spectre”)
||NTAP-20180104-0001: Processor Speculated Execution Vulnerabilities in NetApp Products
||Security Notice ID 4609: Speculative Side Channels
Security Bulletin 4611: NVIDIA GPU Display Driver Security Updates for Speculative Side Channels
Security Bulletin 4613: NVIDIA Shield TV Security Updates for Speculative Side Channels
|Raspberry Pi Foundation
||Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown
||Kernel Side-Channel Attacks – CVE-2017-5754 CVE-2017-5753 CVE-2017-5715
||SUSE Linux security updates CVE-2017-5715
SUSE Linux security updates CVE-2017-5753
SUSE Linux security updates CVE-2017-5754
||Synology-SA-18:01 Meltdown and Spectre Attacks
||Ubuntu Updates for the Meltdown / Spectre Vulnerabilities
||NEW VMSA VMSA-2018-0002 VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution
||Advisory XSA-254: Information leak via side effects of speculative execution
3 replies on “Meltdown & Spectre Vulnerabilities”
The US CHIPoCALYPSE!
Spectre and Meltdown have a huge impact on whole security stucture of enterprises, governments, internet infrastructure security. The problem is much worse than you might think!!!
Since everything is built-up upon a “cryptographic key hierarchy”, beginning with internet routers, switches, firewalls, to AD/LDAP servers, … these keys now are all probably lost and must be revoked.
To illustrate that, let’s have a short look e.g. at UEFI, secure boot process and “chain of trust”, introduced by “WINTEL alliance”:
The ‘security key chain’ goes: Endorsement key (generated by onboard TPM chip) – Attestation Identity Key (AIK) – Microsoft UEFI key – MS signing Attestation Identity Key – Enterprise key – (MS again signing) Enterprise key – Storage Root Key – (MS again signing) Bitlocker Key – …
Multiple boot processes are required in Windows 10 (e.g. after updates) to ensure, that Microsoft UEFI certificates “signed” (are enclosed in) all your own certificates to create the U.S. government backdoor, deeply hidden in your hardware and across all hierarchies. Now you know, why you have to reboot so often during install and Windows 10 updates!!
Finally, these ‘certificate chains’ (X.509v3) are written back into UEFI tables and into a special internal Intel XEON CPU buffer to be used by new AES-NI hardware encryption for all kinds of encryption: Storage, Routers, VPN, SSL, HTTPS …
Note: Since these MS / U.S. government keys are deeply sticking in Intel XEON processor hardware, it doesn’t play a role, what other OS you install or boot afterwards: Debian/UBUNTU Linux, OpenBSD, … If your software uses Intel AES-NI hardware encryption, all encrypted packets ingoing, outgoing – then automatically contain that U.S. government backdoor!
All these keys now are lost and must be revoked, as happened e.g. with JMicron and Realtek network drivers in Iran Stuxnet affair. All keys in your UEFI machines, in all your switches, routers, that are using X.509v3 “certificates”, will have to be revoked, renewed as well, as defined in https://www.ietf.org/rfc/rfc3280.txt
It’s important to know, that not only the US NSA backdoor keys have gone lost. So, if you use UEFI “secure boot”, you are not only completely under U.S. control, but also unter control by all kinds of hackers, who now have installed their own backdoor certificates everywhere in your enterprise network, after the first US (NSA) government master keys were revealed by reading from privileged memory with spectre, meltdown.
But RSA, X.509v3, even has more weaknesses: E.g. when you enclose some other person’s public key in your key and that person then signs back your key. In that case, you can reconstruct the other person’s private key and read all his/her encrypted messages. That attack is called ‘blind signing’: https://en.wikipedia.org/wiki/Blind_signature#Dangers_of_blind_signing
That happened a few days ago, where somebody from the german lawyer association mixed up public and private key. https://www.feistyduck.com/bulletproof-tls-newsletter/issue_36_private_keys_in_software
More about RSA security weaknesses: http://eprint.iacr.org/2001/002.pdf
In fact, a PKI infrastructure only is safe, when you can ensure, that this ‘blind signing attack’ can’t happen. You need sources. In Windows and Red Hat Linux sources aren’t included. You can’t build Red Hat binaries from .src.rpm. https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System_Common_Criteria_Certification/8.1/html-single/Deploy_and_Install_Guide/index.html
Red Hat Linux is expensive; you pay for the US government spying on you!
Interesting: That is dating back to a CIA policy paper from 1996, long before 9/11: https://web.archive.org/web/20121015182952/http://www.foia.cia.gov/docs/DOC_0000239468/DOC_0000239468.pdf
P.S.: Raspberry Pi is not affected, neither by meltdown nor spectre. Perhaps you put very important data on that machine. 😉
More interesting: New, upcoming RISC V processors (free of license fees) are built upon Harvard Architecture. Data and programs reside in different RAM chips, that even makes buffer/heap overflows impossible. Much safer, compared to von Neuman architecture. And cheaper! ;-)
That’s one heck of a reply … thanks
Do you mind if I re-hash this a post?