Meltdown and Spectre: Chip Vulnerabilities Could Facilitate Memory Leaks

Update: January 31, 2018 - Symantec has released the following detection for attempts to exploit the Multiple CPU Hardware Information Disclosure Vulnerability (CVE-2017-5754/Meltdown):

• Exp.CVE-2017-5754

Update: January 5, 2018 - Symantec has released the following detection for attempts to exploit the Multiple CPU Hardware Information Disclosure Vulnerability (CVE-2017-5753/Spectre):

• Exp.CVE-2017-5753

A series of newly discovered vulnerabilities affecting processor chips could permit attackers to gain unauthorized access to a computer’s memory. Dubbed Meltdown and Spectre, the vulnerabilities affect nearly all modern processors and can only be mitigated through operating system patches.

Of the two, Meltdown poses the greatest threat because it is easier to exploit and affects all kinds of computers, including personal computers and virtual machines in the cloud. Symantec is not aware of either vulnerability being exploited in the wild.

The vulnerabilities are significant, since a successful exploit could allow attackers to gain unauthorized access to sensitive data, including passwords. However, exploit of any vulnerable computer would require an attacker to gain access to the targeted computer via a prior step, such as running a malicious application on it; through JavaScript which triggers an exploit in order to run as native code; or running JavaScript to map the kernel. All of these malicious activities can be blocked by Symantec products. Nevertheless, users are advised to apply operating system patches as soon as they are made available.

Both Meltdown and Spectre exploit flaws in processors in order to bypass memory isolation in the operating system. Operating systems are designed in a way to block one application from accessing memory being used by another. If memory isolation fails to work, a malicious application could steal information from memory being used by other applications.

What is Meltdown?

Meltdown (CVE-2017-5754) exploits a flaw in out-of-order execution, a performance feature found in many modern processor chips. The researchers who discovered it have confirmed that it affects every Intel processor since 1995 (with the exception of pre-2013 Intel Itanium and Intel Atom processors). However, they added that it remains unclear whether ARM and AMD processors are also affected by the vulnerability.

If successfully exploited, an attacker can obtain a copy of the entire kernel address space, including any mapped physical memory, in other words, any data stored in memory at the time of the attack.

Meltdown can be exploited regardless of the operating system a computer is running. It affects both individual computers and any computers hosting cloud services, meaning an attack on a single server could lead to the compromise of multiple virtual machines running on that server.

Exploitation against cloud services is potentially the most worrying scenario, since the Meltdown can be exploited on a virtual machine in order to access memory from the host machine. Attackers could potentially buy space on a vulnerable cloud service and use it to stage an attack against other customers using the same host.

What is Spectre?

Spectre (CVE-2017-5753 and CVE-2017-5715) has a similar outcome but works in a slightly different way, and exploits a flaw in processor design to trick an application into leaking information stored in memory.

According to the team who discovered Spectre, virtually all modern processors are affected by the vulnerability, including Intel, AMD, and ARM chips. Once again, the vulnerability is operating system agnostic.

Mitigation

Users are advised to apply operating system patches immediately. Patches have already been released for Microsoft Windows, Apple macOS, and Linux to patch Meltdown. Spectre is reportedly more difficult to patch but also more difficult to exploit. Work is underway to harden software against any potential exploits.

Operating system vendors have already warned that patching is likely to have a performance impact on affected computers. According to Microsoft, the impact may not be noticeable on most consumer devices, however the specific impact “varies by hardware generation and implementation by the chip manufacturer.” The developers of the Linux patch said average performance could decline by 5 percent, but instances of a 30 percent decline were observed.