The First Major Security Logos of 2018: Spectre and Meltdown Vulnerabilities

A major flaw in the way modern CPUs access cache memory could allow one program to access data from another program. The latest security vulnerability affects a majority of systems, if not all, used today. The vulnerabilities are named Spectre and Meltdown and also have a dedicated website.

According to the security advisory, Spectre breaks the isolation between different applications and allows an attacker to expose data once thought to be secure. Meltdown breaks the most fundamental isolation between user applications and the operating system. Both attacks are independent of the operating system and do not rely on any software vulnerabilities. To reduce the risk of compromise, users must apply software patches as quickly as possible.

Side channel attacks

The new bugs are considered side channel attacks since they use side channels to obtain the information from the accessed memory location. Spectre allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel. This unique side channel attack is done by speculative execution, a technique used by high-speed processors in order to increase performance by guessing likely future execution paths and preemptively executing the instructions in them. Spectre takes advantage of this execution and affects all modern processors capable of keeping instructions in flight.

Furthermore, memory isolation is a cornerstone of security and the environment that allows multiple processes to be run on a device. The Meltdown bug allows any application to access all system memory including memory allocated to the kernel and overcomes the memory isolation. The unique side channel attack is one side effect caused by out-of-order execution that is used as a performance enhancement for processors. Meltdown specifically affects every Intel processor on all desktop, laptop and cloud computers except Intel Itanium and Intel Atom before 2013.

Identifying affected systems

Operating system vendors are forgoing regular patch release cycles and publishing operating system patches to address this issue. Tenable.io, SecurityCenter and Nessus can identify affected systems by looking for the newly released patches. Each plugin created for the Spectre and Meltdown vulnerabilities will be marked with at least one of the following CVEs :

  • CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
  • CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
  • CVE-2017-5754: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

To identify which systems are affected using Tenable.io, open the workbench and, using the advanced search, apply a CVE filter (CVE-2017-5753,CVE-2017-5715,CVE-2017-5754) as shown below. In the example filter, each CVE is placed in the field separated using a comma.

Advanced Search

Plugins

When searching for the plugins using CVE you will find several plugins. This list will be updated as more plugins are released.

Vendor

Plugin ID

Description

Amazon

105517

Amazon Linux AMI : kernel (ALAS-2018-939)

Microsoft

105547

KB4056888: Windows 10 Version 1511 January 2018 Security Update (Meltdown)(Spectre)

Microsoft

105548

KB4056890: Windows 10 Version 1607 and Windows Server 2016 January 2018 Security Update (Meltdown)(Spectre)

Microsoft

105549

KB4056891: Windows 10 Version 1703 January 2018 Security Update (Meltdown)(Spectre)

Microsoft

105550

KB4056892: Windows 10 Version 1709 January 2018 Security Update (Meltdown)(Spectre)

Microsoft

105551

KB4056893: Windows 10 LTSB January 2018 Security Update (Meltdown)(Spectre)

Microsoft

105552

KB4056897: Windows 7 and Windows Server 2008 R2 January 2018 Security Update (Meltdown)(Spectre)

Microsoft

105553

KB4056898: Windows 8.1 and Windows Server 2012 R2 January 2018 Security Update (Meltdown)(Spectre)

Red Hat

105523

RHEL 7 : kernel (RHSA-2018:0007)

Red Hat

105524

RHEL 6 : kernel (RHSA-2018:0008)

Red Hat

105525

RHEL 7 : kernel (RHSA-2018:0009)

Red Hat

105526

RHEL 7 : kernel (RHSA-2018:0010)

Red Hat

105527

RHEL 6 : kernel (RHSA-2018:0011)

Red Hat

105528

RHEL 7 : microcode_ctl (RHSA-2018:0012)

Red Hat

105529

RHEL 6 : microcode_ctl (RHSA-2018:0013)

Red Hat

105530

RHEL 7 : linux-firmware (RHSA-2018:0014)

Red Hat

105531

RHEL 7 : linux-firmware (RHSA-2018:0015)

Red Hat

105532

RHEL 7 : kernel-rt (RHSA-2018:0016)

Red Hat

105533

RHEL 6 : kernel (RHSA-2018:0017)

Scientific Linux

105534

Scientific Linux Security Update : kernel on SL6.x i386/x86_64

Scientific Linux

105535

Scientific Linux Security Update : kernel on SL7.x x86_64

Scientific Linux

105536

Scientific Linux Security Update : microcode_ctl on SL6.x i386/x86_64

Scientific Linux

105537

Scientific Linux Security Update : microcode_ctl on SL7.x x86_64

SUSE

105539

SUSE SLED12 / SLES12 Security Update : ucode-intel (SUSE-SU-2018:0006-1)

SUSE

105540

SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:0007-1)

SUSE

105541

SUSE SLES11 Security Update : microcode_ctl (SUSE-SU-2018:0009-1)

VMware

105485

VMware Fusion 8.x < 8.5.9 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre) (macOS)

VMware

105555

VMware Player 12.x < 12.5.8 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre)

VMware

105487

VMware Workstation 12.x < 12.5.8 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre)

VMware

105486

ESXi 5.5 / 6.0 / 6.5 / Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre) (remote check)

Wrapping up

We will continue to research these vulnerabilities, and investigate different ways to detect them. When new information is available, we will release additional plugins. This vulnerability is a real and present danger to all organizations and should be patched immediately. While Microsoft, Red Hat, VMWare and other vendors are making efforts to release patches, organizations are responsible for applying those patches as soon as possible.



This is a Security Bloggers Network syndicated blog post authored by Cody Dumont. Read the original post at: Tenable Blog