Meltdown and Spectre

vPierre Cloud Computing, Cloud Computing Provider / Cloud Computing Anbieter, DevOps, DevSecOps, Infrastruktur / Infrastructure, Linux, Scripts, Sicherheit / Security, Windows Leave a Comment

Meltdown and Spectre are hardware design vulnerabilities in all modern CPUs based on speculative execution. Background infos:

The bug is in the hardware, but mitigations in operating systems are possible and are getting shipped now. I’m collecting notes on the patch status in various software products. This will change rapidly and may contain errors. If you have better info please send pull requests.

PoCs

  • In a recent tweet, Moritz Lipp (Graz University of Technology) has announced the release of their PoC implementations for Meltdown.

Linux upstream kernel

Kernel Page Table Isolation is a mitigation in the Linux Kernel, originally named KAISER.

minipli patches

minipli is an unofficial fork of the former grsecurity patches (original grsecurity is no longer publicly available). minipli is based on the longterm kernel 4.9, which supports KPTI since 4.9.75, yet the patchset isn’t ported yet.

Android

Windows

Update – Tue 9 Jan 09:00 UTC

Microsoft has reports of some customers with AMD devices getting into an unbootable state after installing this KB. To prevent this issue, Microsoft will temporarily pause Windows OS updates to devices with impacted AMD processors (older CPUs, eg. Athlon and Sempron) at this time. Microsoft is working with AMD to resolve this issue and resume Windows OS security updates to the affected AMD devices via Windows Update and WSUS as soon as possible. If you have experienced an unbootable state or for more information see KB4073707. For AMD specific information please contact AMD.

Apple

Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown.

Update Mon 8 Jan 18:00 UTC

Apple has released security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715):

Update – Sun 7 Jan 2018, 9:00 UTC

Based on the Apple’s response posted here, Meltdown (CVE-2017-5754) is currently only addressed in iOS 11.2, macOS 10.13.2, and tvOS 11.2. Apple cannot say at this time if there will be updates to OS versions prior to the ones listed in their article at this time. The same can be said for Spectre (CVE-2017-5753 and CVE-2017-5715) and any updates for Safari. This means that at this given time there are NO patches for 10.11.x (El Capitan) or 10.12.x (Sierra).

Linux distributions

FreeBSD

Virtualization

Browsers

Update Mon 8 Jan 2018, 13:00 UTC

Tencent’s Xuanwu Lab has released a web-based tool that can detect whether your browser is vulnerable to Spectre Attack and can be easily exploited. Official tweet: https://twitter.com/XuanwuLab/status/950345917013504001

Cloud Providers

Chip Manufacturers / HW Vendors

CERTs

CPU microcode

Latest Intel microcode update is 20171117. It is unclear whether microcode updates are needed and which version contains them. The microcode update does not contain any changelog.
If it will become necessary to update Intel (or AMD) microcode under Windows, before the release of official OS-level patches, this VMware Labs fling – though formally experimental – can serve the purpose, at least temporarily.

Update – Thu 4 Jan 2018, 15:30 UTC

It seems that the new Intel’s microcode archive (2017-12-15) provided with the latest Red Hat’s microcode_ctl update includes three new files: 06-3f-02, 06-4f-01, 06-55-04.

Based on what we know:

  1. it adds one new CPUID and two MSR for the variant of Spectre that uses indirect branches
  2. it forces LFENCE to terminate the execution of all previous instructions, thus having the desired effect for the variant of Spectre that uses conditional branches (out-of-bounds-bypass)

Those IDs belong to the following processor microarchitectures: Haswell, Broadwell, Skylake (official reference)

Update – Thu 4 Jan 2018, 16:30 UTC

Regarding AMD’s microcode update: it seems to be only for EPYC (maybe Ryzen, not sure!) and it only adds one of the two MSRs (IA32_PRED_CMD). It uses a different bit than Intel’s in the CPUID. It is also for Spectre with indirect branches. Previous microprocessors resolved it with a chicken bit. Please note that the same solution implemented at kernel level works for both Intel and AMD.

Update – Fri 5 Jan 2018, 03:35 UTC

Debian Project package maintainers released an updated version of the „intel-microcode“ package (version 2017-12-15) for the Sid (unstable) branch olny. Upon inspection, it seems to contain the same microcode additions observed in the Red Hat microcode_ctl update of Thu 4 Jan 2018, 15:30 UTC. The package in compatible with all Debian-based distributions that support post-boot microcode updates.

Antiviruses

Some Antiviruses do things that break when installing the Windows patches, therefore Microsoft doesn’t automatically install the patches on those systems.

Antivirus Vendor overview

RDBMS

NOSQL

Embedded Devices

Compilers

Measuring the performance impact of Meltdown/Spectre

Measuring the performance impact of Meltdown/Spectre with Prometheus

https://www.epicgames.com/fortnite/forums/news/announcements/132642-epic-services-stability-update

https://www.theverge.com/2018/1/9/16868290/microsoft-meltdown-spectre-firmware-updates-pc-slowdown

Windows Vulnerability CPU Meltdown Patch Benchmarked – Introduction

Red Hat Speculative Execution Exploit Performance Impacts – Describing the performance impacts to security patches for CVE-2017-5754 CVE-2017-5753 and CVE-2017-5715

Questions & Answers

Am I affected by the vulnerability?

Most certainly, yes.

Can I detect if someone has exploited Meltdown or Spectre against me?

Probably not. The exploitation does not leave any traces in traditional log files.

Can my antivirus detect or block this attack?

While possible in theory, this is unlikely in practice. Unlike usual malware, Meltdown and Spectre are hard to distinguish from regular benign applications. However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known.

What can be leaked?

If your system is affected, our proof-of-concept exploit can read the memory content of your computer. This may include passwords and sensitive data stored on the system.

Has Meltdown or Spectre been abused in the wild?

We don’t know.

Is there a workaround/fix?

There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre ( LLVM patch, ARM speculation barrier header).

Which systems are affected by Meltdown?

Desktop, Laptop, and Cloud computers may be affected by Meltdown. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). We successfully tested Meltdown on Intel processor generations released as early as 2011. Currently, we have only verified Meltdown on Intel processors. At the moment, it is unclear whether AMD processors are also affected by Meltdown. According to ARM, some of their processors are also affected.

Which systems are affected by Spectre?

Almost every system is affected by Spectre: Desktops, Laptops, Cloud Servers, as well as Smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable. In particular, we have verified Spectre on Intel, AMD, and ARM processors.

Which cloud providers are affected by Meltdown?

Cloud providers which use Intel CPUs and Xen PV as virtualization without having patches applied. Furthermore, cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.

What is the difference between Meltdown and Spectre?

Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location. For a more technical discussion we refer to the papers ( Meltdown and Spectre)

Why is it called Meltdown?

The vulnerability basically melts security boundaries which are normally enforced by the hardware.

Why is it called Spectre?

The name is based on the root cause, speculative execution. As it is not easy to fix, it will haunt us for quite some time.

Is there more technical information about Meltdown and Spectre?

Yes, there is an academic paper and a blog post about Meltdown, and an academic paper about Spectre. Furthermore, there is a Google Project Zero blog entry about both attacks.

What are CVE-2017-5753 and CVE-2017-5715?

CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

What is the CVE-2017-5754?

CVE-2017-5754 is the official reference to Meltdown. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

Can I see Meltdown in action?

 

Both the Meltdown and Spectre logo are free to use, rights waived via CC0. Logos are designed by Natascha Eibl.

Logo Logo with text Code illustration
Meltdown  PNG   /    SVG  PNG   /    SVG  PNG   /    SVG
Spectre  PNG   /    SVG  PNG   /    SVG  PNG   /    SVG

 

Is there a proof-of-concept code?

Yes, there is a GitHub repository containing test code for Meltdown.

Source: spectreattack.com

Links in the press

This post does a great job of explaining the details about what is needed.

Analyse zur Prozessorlücke: Meltdown und Spectre sind ein Security-Supergau

Detecting Spectre And Meltdown Using Hardware Performance Counters

https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)

https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)

Meltdown & Spectre: Details und Bench­marks zu den Sicherheits­lücken in CPUs

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.