Meltdown and Spectre: What you need to know (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754)

Last updated at Mon, 05 Feb 2018 16:46:26 GMT

After waking up from a long winter’s nap, you may have heard the lamentations about the “Intel Kernel Leak” vulnerability, or the “Kernel Speculative Execution” vulnerability, or, now, the “Meltdown and Spectre” vulnerabilities. This is a quick post to let you know just how freaked out, or not, you should be.

What’s the problem?

On January 3rd, 2018, there were rumors flying around about a vulnerability that affects pretty much all modern Intel processors (which turns out to be nearly all processors, not just Intel), having to do with the internals of how processors manage code execution. These days, CPUs don’t just execute instructions from the operating system just as they come. Instead, CPUs make some educated guesses about what’s likely to happen next, and set things up so that if that guess turns out to be correct, everything is already set up in memory. It’s called “Speculative Execution,” and it’s a pretty clever time saver that translates to faster, more efficient processing.

Turns out, there are some security problems with this processing trick, and those problems are collectively known as the “Meltdown attack” and the “Spectre Attack.” In the Meltdown scenario, an attacker’s program can peek at the memory of the operating system’s kernel (the code that takes instructions from the operating system and hands them off to the CPU), and can read private data that it shouldn’t. In the Spectre scenario, programs can be coerced into leaking their own private data. What this boils down to is, if there are two programs running on your computer, they can spy on each other, regardless of the security boundaries between them.

For a ton more detail on these issues, you should head on over to meltdownattack.com and follow the links there for the relevant published papers.

What’s affected?

The most obvious affected platform is any cloud-based or shared hosting provider. These are physical computers that many programs and operating systems share. Obviously, you don’t want to be leaking your secret, private keys to your hosted neighbor, so this is a Big Deal for them.

But, this affects pretty much every platform around—traditional servers, PCs, mobile devices, and IoT. So, if an attacker can get some malware running on the same computer as your passwords, keys, and tokens, they have the opportunity to read those secrets.

Now, that all said, kernel bugs tend to be tricky to exploit, and the requirement for having local access further limits the offensive use. Now, “local access” usually means that the attacker needs to have an authenticated account and the ability to install and run code on the target computer, but it’s important to note that this condition can be achieved by, say, a malicious Javascript application running in your browser. But, since it's merely a memory read issue, attackers don't get a straight shot at privilege escalation with this, and there's going to be some luck involved to have useful-to-attackers data in active memory when these techniques are used.

What do I need to do?

The good news is, these vulnerabilities went through some pretty serious coordinated disclosure, so all the major hardware, software, and cloud service vendors are already on the job. By the time you read this, your cloud provider has probably already fixed your environment. In some cases, you may need to apply a patch and reboot, but if that’s the case, you’ll get a notification from your provider.

For the rest of the affected platforms, there are fixes coming, the usual way. Again, pop over to meltdownattack.com and check the updated list of operating system and hosting providers and their status for patches.

Is Rapid7 affected?

The Rapid7 Insight platform, among others, is a cloud-hosted platform, so we’re affected just like everyone else. While our IaaS provider has applied mitigations, we’re awaiting final vendor patches to be released on or before January 9th (the original target date for patches) so we can fully remediate these vulnerabilities.

As for installed, on-prem devices and software, the usual patch-and-reboot dance is required to fix things on the operating system level—again, that’s likely to be around January 9th.

What can Rapid7 do to help?

We're actively working toward Metasploit and Meterpreter capabilities for testing these memory read conditions, and we expect to have authenticated InsightVM/Nexpose checks shipping in short order as well. We’ll keep this blog post updated with the latest there.

As far as scanning with Project Sonar or other unauthenticated remote assessment tools, it looks like we’re pretty much out of luck there—this is not the kind of issue you can just opportunistically and remotely scan for. Even if we could accurately pinpoint specific kernel versions through network inference (which is sometimes possible, but rarely reliable), we would not be able to tell if the fix for these issues are actively employed.

If you have any questions, feel free to comment below.

Updates

January 5, 2018: We have added Meltdown and Spectre vulnerability checks to InsightVM and Nexpose for Windows and VMware and will continue to add coverage as vendors publish mitigations for CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754. We have also added a dashboard to InsightVM to provide visibility and tracking for Meltdown, and will continue to incorporate new insights. The Meltdown dashboard is available in the R7 Dashboard template library within InsightVM, shown below:

January 10, 2018 : We’ve added a table to this blog post, below, which details the InsightVM / Nexpose scan coverage for each of the three issues. As new checks are released, this table will be updated.

InsightVM / Nexpose Coverage (Updated 2018-01-10)