Details emerged this week on two major processor security flaws, leaving firms scrambling to issue fixes and secure machines for customers.
‘Meltdown’ and ‘Spectre’ are described as “side channel” attacks that allow attackers to steal passwords, customer data, and more stored in the memory of programs running on a victim’s machine.
These security flaws work across PC’s, mobile devices, and alarmingly, the cloud. The latter scenario has the security community particularly worried as it could theoretically allow an attacker in a guest VM to steal data from other customers’ VMs on the same public cloud server.
The Meltdown flaw relates to CVE-2017-5754, a bug that “melts” the security boundaries normally enforced at the chip level to allow normal applications to read the contents of private kernel memory. Unfortunately, this flaw impacts nearly every Intel processor that implements “out-of-order execution”, essentially every processor since 1995.
For cloud providers, those using Intel CPUs and XenPV as virtualization are affected since those rely on containers sharing one kernel, such as Docker, LXC, and OpenVZ.
Researchers explain Meltdown as, “Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory.
Spectre is arguably the more dangerous of the two as it’s still largely unknown and is harder to mitigate, however it has been described by security researchers as more difficult to exploit. The flaw relates to bounds check bypass bug CVE-2017-5753 and branch target injection flaw CVE-2017-5715 and affects Intel, Arm and AMD chips in “almost every system” in the desktop, laptop, cloud server, and mobile device space.
Researchers describe Spectre as, “Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.”
To date, there are no known effective fixes for Spectre, but work is currently being done to patch software after exploitation through Spectre.
The US-CERT claim the only way to fix these issues for certain is to replace the CPU hardware altogether, but that’s not an option until more secure chips are developed. Researchers also claim that these patches may cause systems to slow down significantly, but many don’t have a choice but to patch the security flaw.
Read the article on InfoSecurity Magazine