Meltdown and Spectre a big deal for enterprises
Although consumers are relatively unaffected by the recently disclosed security vulnerabilities in most modern processors, enterprises need to take the threat seriously. Computer Weekly looks at how enterprise IT and security professionals should be approaching these threats
Now the microprocessor exploits dubbed Meltdown and Spectre have been made public, security experts believe malicious actors will be quick to incorporate them into their cyber attack arsenals, and are advising there is no time for enterprises to delay taking action.
According to researchers at security firm McAfee, these exploits are uniquely attractive to malicious groups or persons because the attack surface is nearly unprecedented, the attack vector is relatively new, and the impacts – privilege escalation and leaks of highly sensitive memory – are detrimental.
The most likely way enterprises could be affected is in the exploits making it easier than ever for attackers to acquire domain administrator or other high-value credentials. The exploits may also allow an attacker to build a map of kernel memory layout, which could then be used in another attack.
Meltdown is an Intel processor-specific vulnerability that allows user processes to infer the contents of kernel memory by creating cache loads in locations based on the illegally referenced contents of the kernel memory, thereby leaking the contents.
Spectre, however, is not manufacturer-specific, and nearly all modern processors have the flaw. It uses conditional logic to train the system to incorrectly anticipate application behaviour. This tricks the system into breaking process isolation, temporarily executing instructions that create observable effects, constituting a covert channel.
According to Jeff Pollard, principal analyst at Forrester, the chip vulnerabilities highlight the complexity of the attack surface that enterprise security and risk professionals are charged with defending.
“Enterprise security teams will need to prioritise the testing and deployment of the patch, or risk leaving an opening for attackers to exploit. This is why we stress zero trust as a fundamental concept in cyber security. Your hardware is not secure, your software is not secure, and your security products are not secure,” he says.
What enterprises need to know about Meltdown
The good news is Meltdown is fixable with software updates. The Information Commissioner’s Office is among the leading voices advising enterprises in all sectors to apply as soon as possible the security updates for operating system software to mitigate against the Meltdown exploit.
Intel received assistance from operating system contributors to Linux, along with Microsoft and Apple developing operating system-level fixes for Meltdown for Linux, Windows and Mac OS.
Due to the nature of any patch or update, the McAfee Advanced Threat Research (ATR) team suggests that enterprises first apply manual updates on non-critical systems, to ensure compatibility with software that involves the potential use of low-level operating system features.
The most immediate threat to enterprises, according to Jarno Niemelä, principal researcher at F-Secure Labs, is the memory access provided by Meltdown, which affects every Intel processor made since 1995 that implements out-of-order execution, with the exception of Itanium and Atom.
Circumventing privilege escalation
Before Meltdown, Niemelä said an attacker needed to get system-level access to use credential-stealing tools such as Mimikatz. “But now, with Meltdown, such operations can be done without privilege escalation, which helps attackers significantly. Previously, an attacker was dependent on there being a local vulnerability that allowed privilege escalation,” he told Computer Weekly.
Meltdown also makes some other attacks more dangerous, such as Rowhammer, which is based on flipping bits in memory by carrying out a specific sequence of memory operations and has typically been used in privilege escalation exploits.
Before Meltdown, said Niemelä, the effectiveness of Rowhammer was limited by the attacker being unable to see where the critical bits were in kernel memory, but now, as long as systems are not patched, an attacker can see what needs to be manipulated.
Another concern relating to enterprise security is that Meltdown potentially makes it possible for attackers to exploit vulnerabilities that were previously mitigated by kernel address space layout randomisation (ASLR).
Forrester Research recommends enterprises also:
- Patch hypervisors such as VMware ESXi.
- Expect firmware to be released by manufacturers to address underlying CPU microcode.
- Patch cloud workloads if they are running infrastructure as a service (IaaS).
- Discover the patch-level status of technology partners.
- Ensure bare metal servers cannot execute arbitrary code.
- Take advantage of monitoring tools.
- Scan the environment on a weekly basis to ensure the right level of situational awareness.
While cloud suppliers have already taken steps to patch underlying infrastructure, Forrester said enterprises must patch all virtual machines (VMs) and containers, too. But platform-as-a-service (PaaS) and software-as-a-service (SaaS) systems should not require any customer intervention.
PaaS and SaaS providers should install the patches for customers, but the UK’s National Cyber Security Centre (NCSC) advised that if in any doubt, enterprises should check their service providers are aware of the issue and installing fixes.
Because Meltdown violates the boundaries developers and security professionals relied on for years to keep data secure, Forrester warned that without patching systems, all the data an organisation views, processes or transfers is at risk.
Third parties that take too long to update systems will put enterprise and customer information at risk, warned Forrester, urging enterprises to cooperate and collaborate to make sure partners take this threat seriously.
Enterprises that do not exercise basic hygiene by limiting access to administrators are already exposing themselves to unnecessary risk, said Forrester, warning that the likely vector for attack against a bare metal server was through exploitation of a vulnerability in an external service. “Now is the time to be extra diligent in remediating other software vulnerabilities,” said Forrester.
Microsoft has released PowerShell scripts, and Linux includes commands to determine whether a processor is vulnerable to Meltdown. Until these techniques are incorporated into vulnerability management and infrastructure-monitoring tools, Forrester said using the available scripts and commands might be the only way to determine initial exposures and remaining exposures after patching.
What enterprises need to know about Spectre
Spectre cannot be fixed with software updates, which means it is a far bigger problem for the enterprise, according to Forrester.
Spectre can be mitigated only with microcode updates, but fixing Spectre permanently requires replacing the affected processors. However, the bad news is there is currently no hardware available without the flaw to replace affected processors with.
Given that new processors and architectures can take five to 10 years to hit the market, Forrester said sacrificing performance for the microcode fixes was the best option.
However, given the complexity of distributing those fixes by device manufacturers, the analyst said enterprises should plan to use other techniques to protect data from users and companies that have not applied the fixes.
In addition to applying fixes to microcode, enterprises should:
- Recompile applications built in-house using Retpoline instructions introduced by Google to isolate indirect branches from speculative execution.
- Plan to staff additional support resources during releases because there may be a spike in demand due to application performance issues or other problems related to the microcode patches.
- Prioritise application software updates related to Spectre as they are released.
Prioritise cloud security
The steps that cloud providers are taking to counter Meltdown and Spectre largely involve updating the underlying technology stacks their services run on. However, Forrester noted that infrastructure and operations teams would need to update all virtual machines and containers that run on top of them.
When it comes to on-premise workloads, Forrester warned that enterprises would be responsible for their entire stack, including operating systems, underlying hypervisors and firmware. Enterprises may also need to update management interfaces that have their own CPUs, resulting in higher-than-normal workloads for sysadmins, reliability managers and cloud engineers.
In mitigating against potential Meltdown and Spectre attacks, enterprises are advised to prioritise securing their cloud deployments.
Forrester recommends CIOs should:
- Draw up a plan for communicating information about the chip vulnerabilities and the enterprise’s strategy for remediating them.
- Work with the chief risk officer (CRO) to express impact in business terms for execs and the board.
- Celebrate the infrastructure and operations (I&O) team, which has a busy time ahead.
Both exploits lower the requirements for unauthorised parties to access and exfiltrate data from machines. For example, attackers no longer need code execution on a specific device or operating system instance because side channels for data leakage exist if an attacker is present on a system with an unpatched processor.
Enterprises must, therefore, expect that any information on their systems is being read by someone else as long as they remain unpatched.
To target a firm specifically, attackers must find a way to force the cloud infrastructure provider to place them on the same bare metal server where your systems reside. According to Forrester, this is difficult to achieve, and the most likely scenario is criminals will begin mining the systems of their cloud “neighbours” for monetisable information.
Apart from cloud environments, systems likely to be at highest risk are:
- Endpoints that cannot be guaranteed not to run untrusted code.
- Old systems running OS versions that cannot or will not be patched.
- Any system outside the firewall.
Prepare to take a hit on performance
The nature of the software updates to fix Meltdown and mitigate Spectre means the performance of enterprise computer systems will suffer.
Multi-tenant systems and applications that rely heavily on kernel-level system calls, such as databases, will be most affected, but according to Forrester, enterprises are less likely to see an impact on desktops, laptops, tablets and mobile phones running user-focused applications such as web browsers, messaging apps and word processing software.
Initial projections were that enterprises could see performance losses of up to 30%, but so far that does not seem to be the case. Chip makers and software suppliers have indicated that while the patches will add some degree of overhead to operating systems and virtualisation software, depending on the type of workload, they will not cause widespread performance problems.
These claims appear to be true in most cases, according to GeekWire, which cited John Graham-Cumming, who oversees a huge network of servers as chief technology officer at Cloudflare, as saying the various patches for Meltdown and Spectre appeared to have had a “negligible” impact on the Cloudflare infrastructure.
However, GeekWire said patches for Meltdown and Spectre were affecting applications that need to request data from the operating system kernel on a regular basis, while some mitigations for Spectre appear to be hitting performance for applications that tap into hardware virtual machines.
Most of the performance impacts come from transitions between user and kernel memory space, which means enterprises could batch operations that require such transitions and minimise their number, said F-Secure’s Jarno Niemelä.
“So once developers are familiar with the new normal, they will be able to optimise their code to minimise the impact. Also, next versions of compilers will most likely contain optimisations to help in avoiding the impacts,” he added.
Gartner’s Nik Simpson says the potential performance impact is most likely to affect:
- Applications that are input/output or network intensive, as this sort of workload will involve constant interaction with the kernel of the operating system.
- Hosts that are running unsupported operating systems that the supplier does not plan to patch.
- Systems that run close to maximum capacity.
“Both of these options will increase overall costs. However, it’s important to stress that the performance impact will be negligible for most applications, so there’s no need to panic at this point, but it is something that will need watching,” he said.
If software suppliers do not patch older versions of operating systems that are still in use, Nik Simpson, managing vice-president, architecture, at Gartner, warned this could cause problems for enterprises. “Because of this issue, organisations may be forced to update to phones and PCs running a supported version of the OS, and that may introduce application compatibility problems,” he said.
Close web browsers
In addition to operating system patches, Niemelä recommended that enterprises harden the external attack surface, which is rather problematic, as especially Spectre attacks can also be run from Javascript executed by web browser.
How to mitigate performance problems
- Increase the CPU resources assigned to virtual machines.
- Buy hardware that is more powerful.
Because attackers could potentially steal passwords from user process memory when running as Javascript from a web page, Niemelä said it might be a good idea to train users to always close web browsers when not in use. “I have to admit that even a security-conscious person like me is very often at fault on leaving 20 or so pages in the background for later reading,” he said.
However, Apple has released updates for Mac OS and iOS to block Spectre exploits via the Safari browser, and Google has provided an experimental patch for Chrome. Enterprises should apply browser updates and patches as soon as they are available, said Niemelä.
“For high-value targets it might be worth considering using JavaScript blocking and limiting what scripts are allowed to run in a browser, but this tends to break the usability of modern websites,” he said.
Niemelä also recommended implementing multifactor authentication (MFA), so that even if an attacker was able to steal passwords, they would be useless without MFA access.
“We have to assume that even with OS patches, there may be residual risk of Meltdown and Spectre working on some conditions, but that can be mitigated by using high-quality endpoint protection solutions because, with the exception of JavaScript, both exploits need code running in a target system,” he said.
As a bare minimum, Simpson said enterprise IT teams should make plans to patch hypervisors and operating systems, and potentially update browsers.
“This may require internal testing before deployment to ensure there are no application compatibility problems and determine the extent of any performance impact. Also set aside maintenance time for affected systems, as patching the OS and hypervisor may require downtime,” he advised.
Read more about Spectre and Meltdown
- Intel to set up new group to focus on hardware security.
- Apple has confirmed that all iPhones, iPads and Mac computers are affected by the Meltdown and Spectre microprocessor exploits.
- Meltdown and Spectre need to be addressed by applying updates and replacing the affected CPU hardware.
- AMD shares rise on news that the performance of millions of Windows PCs, Linux servers and Apple Macs is to be affected by critical updates for security flaw in Intel chips.
High profile, low risk
In summary, Meltdown and Spectre are significant vulnerabilities with a widespread impact, but the overall risk is low because exploitation of the vulnerabilities requires local admin access to the system, said Javvad Malik, security advocate at AlienVault.
“If someone has already compromised your system to that level, there are probably bigger problems to worry about. Google, AWS [Amazon Web Services] and Azure are already fully patched, so users should be protected. For on-premise computers and servers, the advice is to keep all systems fully patched and up to date.
“It’s a major finding, but there have been no known instances seen in the wild, and there is little users can do beyond updating and patching all their systems,” he told Computer Weekly.
Despite concerns about the potential impact of Meltdown and Spectre, McAfee has put a positive spin on the discovery of the exploits. “This was another major security flaw discovered and communicated by the information security community, as opposed to the discovery or leak of ‘in the wild’ attacks.
“Will this disclosure have negative aspects? Most likely, yes, but the overall effect is more global attention to software and hardware security – and a head start for the good guys on developing more robust systems and architectures for secure computing,” the company’s threat research team said in a blog post.