A new series of vulnerabilities have been disclosed (CVE-2017-5753/5715/5754) affecting the most popular computer processors, and leaving millions of devices exposed to exploitation. These vulnerabilities allow users/applications with low level privileges to view data in the memory. Data stored in the memory may include passwords, pictures, texts, and any other types. At first these vulnerabilities were thought to only affect INTEL, however other reports indicate that AMD and ARM processors are affected as well.

Meltdown and Spectre are the two trending names associated to these vulnerabilities. Meltdown implies there are no limits between applications and operating system, in this case, exploitation will allow attacker to access memory data across any  running application or processes. Spectre exploit forces/tricks programs/applications to dump memory by causing errors then this memory data can be accessed.

Fig 1.  Meltdown POC

Fig 2. Spectre POC  Modified from * https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6#file-spectre-c-L50

Proof of concept exploitation code suggests, side channel type attack which may require some previous steps before full exploitation (I.E Tricking user to browse page with exploit code, access server transferring code then executing). However this does not minimize the risks of these types of vulnerabilities, as for example a malicious actor could simply create an account in a popular cloud based provider then execute exploit on his/her servers and be able to see others information via memory/application leakage.

It is also very possible that these vulnerabilities will soon be chained to other exploits, enabling them to be executed in a manner that allows more streamlined memory access.

The biggest implication of these vulnerabilities is the number of devices that may be affected. Considering that Intel, AMD, ARM are probably the majority of modern processors, the task of applying mitigations seems very difficult. Some of these devices may not be patchable (Think embedded processors such as Cable Modems, Routers, and many other IoTs), some others may be patched however the current mitigations as of the writing  of this blog indicate that more than fixes they are workarounds and these workarounds, come with a price which is reduction in performance and latency. These reductions in performance may be significant enough to discourage patching these devices for some vendors.

Suggested mitigations consists applying patches at the operating system level, as deployed hardware at this point is flawed and unmodifiable.  Below a list of detailed technical resources and mitigation information.

 

U.S Cert

https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities

 

Official Intel

https://security-center.intel.com/advisories.aspx

 

Official AMD

https://www.amd.com/en/corporate/speculative-execution

 

Official ARM

https://developer.arm.com/support/security-update

 

MITRE

CVE-2017-5715

CVE-2017-5753

CVE-2017-5754

 

Official Vulnerability page with technical POC and Research information

https://www.meltdownattack.com

 

Mozilla

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

 

Google Chrome

https://support.google.com/chrome/answer/7623121?hl=en

 

Official Microsoft

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

 

Google Project Zero

https://googleprojectzero.blogspot.com/