Spectre and Meltdown : Burning Down The House

Of course when Jim was writing his last blog post, the embargo was ending on two major vulnerabilities within a range of CPU processors (aka Spectre & Meltdown). With Spectre & Meltdown, we are looking at a vulnerability that is worse than heartbleed and bash bug put together. At its basis, it appears this attack can advance the chips prediction processes out of order, forcing a wrong process and permitting access to a process that wouldn’t intentionally have occurred. This is a real hardware vulnerability that is permanently in the CPU you are currently using while reading this.

The only band aid available is to accept a software work around that could affect performance (we have heard 5% on the low end, all the way up to 30%)? No matter what, there is a huge potential in these flaws if the OSes running on them are not patched.

So, in keeping with Jim’s Talking Head theme (that is what they called music in the 80’s) from his postyesterday, about how we shouldn’t burn down (or throw away) the investments we made in technology, what should we do with this large flaw that is indeed burned into the very hardware we use on a daily basis? The very thought of increasing our potential attack vectors down to the CPU itself, and the many permutations (like, if you patch your VM in a cloud service, but the hypervisor is not patched, potentially another VM can read your VM memory contents) Now we must include our chipsets, a common or often overlooked patching item. Nearly all the major CPU’s are affected (varying degrees, and AMD claims they should not be affected), and nearly most of the systems we work on daily.

But how do you recover from virtually all major CPU’s being exposed.

It is still too early to decide now if it is better to throw away those Intel x86-64, ARM and AMD processors and start over. Should we burn down the house?

“Watch out you might get what you’re after
Boom babies strange but not a stranger
I’m an ordinary guy
Burning down the house”

We see it often in today’s auto industry for repairs. Items/components are often not fixed and just replaced. If we continue down the path of simply replacing components of systems when something bad happens, where do we end up? We have all survived Heartbleed and Bashbug, even though some systems are still vulnerable. But the InfoSec community up in arms about a compromise at this level is the same InfoSec community that will arrive at a mitigation. We hope. “Necessity is the mother of invention”. This may be the critical moment that the industry may rise to the occasion and “re-think” how to properly maintain, patch, update, code, and implement systems and applications. Will this be the event that causes the industry to take monitoring seriously? Take patching seriously?

“Hold tight wait till the party’s over
Hold tight We’re in for nasty weather
There has got to be a way
Burning down the house”

One thing is for sure, it is going to be an interesting day, week, month, and maybe year for CISO’s and the InfoSec community, as well as manufacturers, to get a proper hold of this.

“People on their way to work and baby what did you except
Gonna burst…”

The current solution from CERT is to “Replace CPU Hardware”. With what? All major chips are virtually affected, or at least we believe so now. As this has been introduced “into the wild” or for public consumption, we will now begin to see the various attempts at solutions/patches as well as simple scripts and GITHub repositories to exploit this hit in the wild as well. You should also be very careful before applying or using any of these as you wouldn’t want to introduce new problems.

On a positive note, at least we waited until after the holidays to have another massive vulnerability release.

Tl;dr : 3 variants of a bad chip flaw affects everything. Patching may decrease speed of operations 3% to 30%. Do We Burn The House Down? CERT says only fix is to replace CPU, but there is not a chip from a major chip vendor that doesn’t have the flaw. We need to become more vigilant. AV Vendors have patches available now. Apple patched in 10.13.2. Microsoft has started patching. Happy New Year.

William Kimble – President/CEO Cyber Defense Technologies
[email protected]

James McMurry – CEO/Founder Milton Security Group
[email protected]

Music by : The Talking Heads
Title : Burning Down The House

Windows Client/Server Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities

Client side:

Server side:

Interesting sidenote : A talk was actually submitted by Daniel Gruss to BlackHat 2017 covering KAISER, but was not chosen by the CFP panel. This could have highlighted that in Mr. Gruss’s words:

#FunFact: We submitted #KAISER to #bhusa17 and it was rejected.
We can just assume that it lacked practical relevance or had no relevant security impact. 
#kpti #fuckwit #blackhat #bhusa 

#KAISER would be a good general improvement for kernel security. A good defense mechanism covers yet unknown a attacks. #KAISER did.”

“I’d bet the chances of the same talk with the same technical contribution would have other chances now. Because now it’s clear what it protects against as well. That’s a bit odd. And funny, therefore, fun fact ;)”