Bottom line up front:
- The Meltdown and Spectre vulnerabilities are serious vulnerabilities
- These vulnerabilities are uniquely broad in scope potentially affecting nearly every computer and device with a modern processor: Microsoft Windows, Google Android, Google ChromeOS, Apple macOS, on Intel and ARM processors.
- These are not code execution vulnerabilities (i.e. wormable): they are information disclosure vulnerabilities
- These vulnerabilities pose greatest risk in shared hosting scenarios (i.e. cloud)
- The risk these vulnerabilities pose for end users is that malicious code or script could use them to obtain sensitive information like usernames, passwords, and bank account information
- Because of the breadth of these vulnerabilities, IoT devices and many mobile devices may never receive fixes to address them
- Everyone should act to apply security updates as soon as possible
- Patches are now available for most major platforms
- Everyone should update their systems and devices as soon as possible
- Cloud service users likely do not need take action: most providers are updating to protect their infrastructure against these vulnerabilities; please check with your respective provider
In the past 48 hours, there has been a flurry of activity as hardware and software vendors move to address two sets of vulnerabilities that have been dubbed “Meltdown” and “Spectre”.
This blog is meant to give an overview of the situation, the vulnerabilities, assist Palo Alto Networks customers and others with their risk assessment, and provide recommendations for actions they can take to prevent successful attacks against these vulnerabilities.
- CVE-2017-5753: bounds check bypass
- CVE-2017-5715: branch target injection
- CVE-2017-5754: rogue data cache load
They grouped these vulnerabilities under the names “Spectre” (CVE-2017-5753 and CVE-2017-5715) and “Meltdown” (CVE-2017-5754).
Comprehensive details on both of these are available at https://meltdownattack.com.
Security updates to address these vulnerabilities began to be released prior to disclosure on January 3, 2018. Security updates are continuing to be released and are expected to be released over time due to the uniquely broad nature of these vulnerabilities.
At the time of this writing, there are no known active attacks against any of these vulnerabilities.
These vulnerabilities present a unique situation because they ultimately are hardware-based vulnerabilities. All three stem from issues in modern processors and are known to affect Intel and ARM chips. The vulnerability status of AMD chips is unclear at the time of this writing.
Because these affect processors, this means that the operating systems and applications that run on top of these processors are vulnerable.
Because these vulnerabilities affect the processors at the physical layer, the only way for the vulnerabilities to be fully addressed is for the processors to be replaced or to have a firmware update.
Until then, the makers of operating systems can (and have) released patches that make the physical-layer vulnerabilities inaccessible. For all intents and purposes, it “patches” the vulnerabilities.
Full technical details on the vulnerabilities are available at the sites referenced above. But the key point to understand about these vulnerabilities is that they are information disclosure vulnerabilities that can enable processes and applications to access information they otherwise shouldn’t be able to: user-mode applications can access privileged information in the kernel and throughout the operating system.
For regular end-user systems and devices, malware and malicious scripts can use these vulnerabilities to access information like usernames, passwords and account information.
For shared-hosting environments like public cloud providers, this means that one hosted customer could potentially access the information of any other customer hosted on the same hardware.
Based on analysis of the vulnerabilities, an industry consensus is emerging that generic protections against attacks aimed at these vulnerabilities will be difficult, if not impossible to develop. This means that prevention against attacks will have to focus on specific malware, attacks, and hosting sites as they emerge.
Because these are information disclosure vulnerabilities, they don’t pose the same, immediate danger like WannaCry/WanaCrypt0r or Petya/NotPetya. This has more in common with the Heartbleed event of 2014.
In terms of the severity of the vulnerabilities themselves: they are important, but not critical. They are information disclosure, not code execution, vulnerabilities.
The greatest area of risk is in shared-hosting scenarios. Fortunately, most cloud providers have already deployed security updates and those that haven’t are expected to do so shortly.
For end-users and those managing networks, the greatest risk these vulnerabilities pose is exploitation by malware seeking to gather information like usernames and passwords from systems.
What makes these vulnerabilities most notable from a risk assessment point of view is breadth of exposure. Since these potentially affect nearly every device with a modern processor, that means that full mitigation and remediation may not be possible. Older systems (like Windows XP) and devices (like older Android smartphones and IoT devices) will likely never receive fixes for these vulnerabilities.
Calls to Action
The actions to take in response to this event are clear and simple:
- Users of shared-hosting (i.e. cloud) services should check with their service provider to confirm they’ve applied security updates to address these vulnerabilities.
- Administrators and end-users should deploy security updates to all systems and devices as soon as they’re available.
- Administrators and end-users should consider retiring systems and devices that will not be updated as soon as possible.
- Administrators and end-users should use comprehensive network and endpoint security that can help prevent attacks that seek to exploit these vulnerabilities.
As always, we will continue to watch this event closely and provide any updates that we can.
For information on how Palo Alto Networks products are affected by these issues, customers can see our posting on the Live Community at: https://live.paloaltonetworks.com/t5/Customer-Advisories/Information-about-Meltdown-and-Spectre-findings/ta-p/193878/jump-to/first-unread-message.
If you have any questions, please visit the Threat & Vulnerability Discussions on our Live Community.