On January 3rd, 2018, news was publicly disclosed about a pair of security vulnerabilities named “Meltdown” and “Spectre”. They are both related to hardware vulnerabilities in modern processors.

The vulnerability allows a malicious program to access data in memory used by another program via a side-channel attack. It can potentially allow attackers to gain admin access and retrieve data from affected systems. The expected design of processors is to isolate applications and the operating system so side-channel attacks would be impossible.

What is my risk?

An attacker can exploit these CPU vulnerabilities to expose sensitive data in the protected kernel memory, including passwords, cryptographic keys, emails, confidential documents or any other data on your PC. Meltdown and Spectre affect personal computers, mobile devices, and in the cloud. If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information.

The vulnerabilities are not remotely exploitable, but they can be exploited from an unprivileged local user. This could potentially leave an untraceable backdoor in the processor itself. Consider that 90% of breaches start with a successful phishing attack. These phishing attacks can lead to exploiting a vulnerable workstation.

Organizations that do not have patch management and vulnerability management in place are at high risk of security incidents, breaches and other expensive headaches. The cost to remediate and recover from a security incident or breach often far outweighs the cost of setting up and maintaining mature patch and vulnerability management programs.

Make a Plan

Due to the widespread nature of the vulnerability, some planning and communication is in order to reduce your organization’s risk as soon as possible.

1. Understand the scope of affected systems within your organization (operating systems, hypervisors, network devices, mobile devices, etc.).
2. Use tools like a vulnerability scanner and PowerShell to create an exact list of affected systems.
3. Develop a remediation plan, including prioritizing the most critical assets.
4. Identifying IT resources that will need to be allocated to assist in the remediation activities.
5. Develop a communications plan for your organization, employees, and customers.

Take Action

1. Update AV software first. The Microsoft patches are offered to devices running compatible antivirus software. See Antivirus Vendor Status. Some anti-virus vendors will need to update their software to work correctly with the new patches, as the changes are related to Kernel-level access. Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities unless their antivirus software vendor sets a registry key. This key can be checked for compatibility before patching.
2. Apply operating system patches for each related vendor in your environment. Microsoft OS patches are included in the January 2018 Windows security updates (released on January 3, 2018). See Microsoft Security Advisory ADV180002.
3. Apply the applicable firmware or BIOS update that is provided by device manufacturers, if available.

There is no patch available for Windows Server 2008 and Windows Server 2012 (non R2) as of 1/17/18. In Microsoft’s FAQ, the state these OSes require extensive architectural changes and are working with chip manufacturers.

What about my cloud servers?

Microsoft took action on January 3rd to patch its infrastructure which required a reboot of all of its customers’ virtual machines. This Azure infrastructure update addresses the disclosed vulnerability at the hypervisor level and does not require an update to customer’s Windows or Linux VM images (other than the reboot).

Look out for possible slowdown

Beware that Intel processors that are based on Skylake (launched in August 2015) or newer architecture won’t see a significant performance degradation. However, older processors could slow down more significantly due to the firmware and software updates. In the worst case, the software fix causes slowdowns in typical workloads of about 20%. Intel says any slow-downs will be “workload-dependent,” but the company has not expanded on how this will affect older machines. Beware of this for any CPU-intense workloads or processes that are critical and time-sensitive to your organization.

Resources

• Speculation Control Validation PowerShell Script – Use this PowerShell module locally to confirm whether a system has enabled the protections needed to protect against the speculation control vulnerability.
• Verifying Spectre / Meltdown protections remotely – Using the above PS module as a base, gather a list of machines and run this code. This requires the new SpeculationControl PowerShell module be installed only on the system from which the code is executed.

CVEs – MITRE (working with the U.S. Dept. of Homeland Security) assigned the following CVE IDs (unique vulnerability IDs) to this issue. They are each ranked with a CVSS Severity of “Medium” due to requiring local access and high attack complexity.

• CVE-2017-5753 - Bounds check bypass
• CVE-2017-5715 - Branch target injection
• CVE-2017-5754 - Rogue data cache load

Next Steps

BDO Digital's customers rely on our security practice and managed services to help protect their organizations from Meltdown, Spectre and the thousands of known vulnerabilities publicly disclosed each year. BDO Digital has developed a streamlined vulnerability management approach which maximizes value for our customers. We are focused on maximizing our customer’s risk reduction per dollar spent.