News of a major vulnerability in Intel chips is much worse than first feared, with researchers confirming three variants affecting multiple CPU hardware implementations, dubbed “Meltdown” and “Spectre”.
Both can be described as “side channel” attacks which allow attackers to steal passwords, customer data, IP and more stored in the memory of programs running on a victim’s machine.
They work across PCs, mobile devices and in the cloud — the latter scenario is particularly worrying as it could theoretically allow an attacker in a guest VM to steal data from other customers’ VMs on the same public cloud server.
The previously disclosed issue has been named Meltdown and relates to CVE-2017-5754, a bug which “melts” the security boundaries normally enforced at the chip level to allow normal applications to read the contents of private kernel memory, according to the researchers.
It affects every Intel processor which implements “out-of-order execution”: effectively every processor since 1995, except Itanium and Intel Atom before 2013.
It also affects certain Arm cores, although AMD chips are not thought to be affected.
Patches are available for Linux, Windows and OS X to mitigate Meltdown.
On the cloud provider side, those using Intel CPUs and XenPV as virtualization are affected, as well as those relying on containers that share one kernel, such as Docker, LXC and OpenVZ. Patches are coming or are already here from Microsoft, Google, Amazon and others.
Spectre is arguably the more dangerous of the two threats as it is harder to mitigate, although it has also been described as harder to exploit.
It relates to bounds check bypass bug CVE-2017-5753 and branch target injection flaw CVE-2017-5715 and affects Intel, Arm and AMD chips in “almost every system” in the desktop, laptop, cloud server and smartphone space.
The researchers explained Spectre and Meltdown as follows:
“Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, applications can access system memory. Spectre tricks other applications into accessing arbitrary locations in their memory.
“Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.”
There are currently no known effective fixes for Spectre, although work is being done to “patch software after exploitation through Spectre.”
In fact, the US-CERT claimed that the only way to fix the issues for certain is to replace the CPU hardware altogether — not an option at this stage until more secure chips are architected.
There are also concerns that the patches which are being developed may cause systems to slow down, although many admins may not have a choice in the matter.
Researchers claimed that, unlike normal malware, Meltdown and Spectre are hard to distinguish from regular apps so are unlikely to be spotted by AV tools.
“However, your antivirus may detect malware which uses the attacks by comparing binaries after they become known”, they added.
Affected firms including chip, browser, OS and cloud vendors were working behind the scenes on fixes for the issues before the news was broken in a media report earlier this week. That seems to have accelerated patching plans.
The National Cyber Security Centre (NCSC) claimed in a statement that it had seen “no evidence of any malicious exploitation” and advised users and IT admins to install patches as soon as they are made available.
Google's Project Zero team, which helped to discover the vulnerabilities, has a detailed analysis here.