Everything You Need to Know About Meltdown & Spectre
What are Meltdown and Spectre?
Meltdown and Spectre are software viruses that take advantage of recently discovered computer hardware security vulnerabilities. They are the result of a hardware design flaw that was originally found to be present in all Intel chips made in the last 20 years.
This flaw essentially allows rogue programs to access the contents of protected kernel memory areas of the computer’s processors. The Meltdown and Spectre exploits have the potential to allow attackers to gain access to critical data previously considered completely protected.
Meltdown is so-called because it figuratively ‘melts’ the security boundaries normally enforced by chip hardware that protect sections of the memory. Essentially it’s able to spy on data it shouldn’t have access to.
Spectre, on the other hand, derives its name from speculative execution, which involves a chip attempting to get a headstart on what a user might want from it. For instance, if the program a user is running follows an ‘if X, then Y’ rule, then if a user chooses to perform X, the chip must then work on carrying out Y. A chip performing speculative execution would start carrying out Y before the user chooses to perform X, to get a headstart on computation. Doing so leaks data that should stay confidential.
A Spectre attack requires more intimate knowledge of the victim program’s inner workings, and doesn’t allow access to other programs’ data, but will also work on just about any computer chip out there.
Spectre’s name also derives from the fact that it will be much trickier to stop — while patches are starting to become available, other attacks in the same family will no doubt be discovered. That’s the other reason for the name: Spectre will be haunting us for some time.
The official Spectre website (yes, there is one) states that while Spectre is harder to exploit than Meltdown, it is also harder to mitigate. It breaks the isolation between different applications and allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. However, it is possible to prevent specific known exploits based on Spectre through software patches.
Who is affected?
Short answer: Pretty much everybody.
Meltdown only affects Intel processors and at the moment, it is unclear whether AMD processors are also affected. ARM says some of its processors are also affected.
Spectre is much more widespread, however. Almost every system is affected by Spectre, including desktops, laptops, cloud servers, and even smartphones. More specifically, all modern processors capable of keeping many instructions in flight are potentially vulnerable, that means all popular operating systems, including Windows, Linux, and macOS are affected.
A huge variety of devices, from laptops to smartphones to servers, are therefore theoretically affected. The assumption going forward should be that any untested device should be considered vulnerable.
How are VMs affected?
All those vulnerabilities affect infrastructure with untrusted VMs. If you run your on-premise/isolated “cloud”, you are relatively safe (still losing one “defense” anyway). This must be a reminder that even on the cloud, your applications still run on some hardware.
Meltdown on XenServer
Meltdown is using a design flaw into Intel CPUs only. This is called by Xen sec team “SP3” (aka rogue data cache load). You are impacted only if you are using:
- 64-bits PV type VM (HVM/PVHVM aren’t affected!)
- Intel CPUs (AMD chip design is a bit different and not affected)
- Untrusted VMs, ie untrusted users having VM access (even non-root!)
- All XenServer versions are affected
Spectre on XenServer
Spectre contains both “SP2”, aka “Branch Target Injection” and “SP1” aka “Bounds-check bypass”.
For now, there is no known exploit for “SP1”. The issue then is on “SP2”. If you have untrusted VMs, you are vulnerable, whatever XenServer version you are using, or the virtualization mode.
To learn how to help mitigate the risks to your Xenserver, click here.
VMware states that Meltdown and Spectre can create problems for its virtual appliances and explains that the mitigation tactics will stop attacks but must be considered “a temporary solution only and permanent fixes will be released as soon as they are available.”
The workarounds are important because VMware ships some of its products as appliances. vCenter, for example, now ships as an software appliance, because VMware would rather you did not install it as a guest.
To learn how to mitigate risks to your VMware VMs, click here.
How RecordTS can save you
In the spirit of preserving data, session recording offers a way to protect critical actions that can assist in forensic analysis and offer a layer of protection against the ransomware viruses.
Would you like to know more? Visit www.tsfactory.com