Processor Class A vulnerability Meltdown and Specter FAQ

February 02, 2018 By Antiy Security Response -

Processor Class A vulnerability Meltdown and Specter FAQ

After Antiy analyzed “Processor Class A vulnerability Meltdown and Specter Analysis Report”^[2]on January 4 and January 5, some users have asked about the impact of the Class A vulnerability event Methods and how to detect the problem, thus it formed FAQ in terms of these issues.

Background information on Meltdown and Specter vulnerabilities

Intel and other processor chips disclosed by Google’s Project Zero and other security teams have serious security vulnerabilities named Meltdown and Specter.

Meltdown

Meltdown disrupts basic isolation between users and operating systems, allowing malicious code to access arbitrary memory on the host, stealing sensitive information from other applications and operating system kernels. This loophole “melts” the security boundaries implemented by the hardware, allowing low-privilege user-Class applications to “cross-border” access system-Class memory, resulting in data leakage.

Spectre

Specter is the destruction of different applications between the isolation. The root cause of the problem is speculative execution, an optimization technique in which the processor will speculate on the instructions that might be executed in the future and execute it. The purpose of this technique is to prepare the results in advance, and to make the data available as soon as it needed to improve system operational efficiency.The underlying reason is that the CPU runs much faster than the memory reads. During this process, CPUs such as Intel did not properly isolate low-privileged applications from the memory of the in-memory kernel, which meant that attackers could use malicious applications to obtain private, user-Class data that should be isolated.

Threats and impacts on Meltdown and Specter vulnerabilities

On January 4 in 2018, CNVD released Meltdown Vulnerability(CNVD-2018-00303, corresponding to CVE-2017-5754) and Specter Vulnerability(CNVD-2018-00302 and CNVD-2018-00304, corresponding to CVE-2017-5715 and CVE-2017-5753)security bulletin, CNVD gave comprehensive rating of the vulnerability as “high risk”.

The vulnerability exists in Intel x86-64 hardware and Intel processor chips produced after 1995 may be affected. At the same time, AMD, Qualcomm, ARM processor have been affected^[1]. At 23:00 on January 4 in2018, Antiy issued a Class A vulnerability risk notice and reminded the vulnerability may evolve into a Class A network security disaster for the cloud and information infrastructure^[2].

Relevant vulnerabilities can only read the data, why it is evaluated as Class A vulnerability by Antiy?

Answer: The vulnerability itself can only read data and can not modify the data, but because the data may include passwords, certificates, and other sensitive data, it can bring horizontal movement attack capabilities, including full Dump memory mirroring, meaning that it can get all the open files and information, so this vulnerability is more harmful to the cloud than the general virtual machine escape. Although the attacker did not escape from the node directly to the physical machine, the purpose of the attacker’s secret may still have been reached. After obtaining some authentication credentials, the attacker may perform subsequent horizontal movement, which attacks the original cloud with no sense of security monitoring mechanism, so it is harmful to its cloud infrastructure, especially private cloud.

How difficult is the vulnerability exploit?

Answer: Vulnerability is not very difficult to use. First, the relevant vulnerability have leaked mature PoC code, for the public PoC code, Antiy Analyst engineers have been tested in Intel’s environment to verify the effectiveness of its environment. Experimental data proves that the disclosed PoC can be used to obtain the current process memory data. Therefore, it is very difficult to exploit this vulnerability under the cloud scenario. Since the cloud service is easy to be attacked, the attacker can not only easily attack the vulnerable virtual machines in the cloud, but may even directly rent the host to run the PoC program. And then get the memory data of the entire physical host through CPU cache.Relevant vulnerability desktop users can implement combo attacks based on browsers and other entrances, bypass existing browser security mechanisms and obtain system kernel data, which is harder to exploit than cloud attacks. Therefore, the vulnerability has the characteristics of extremely low utilization and great potential harm.

What are the possible ways to exploit vulnerabilities?

Answer: First, the cloud host (including physical machines and other virtual machines on the same machine) with sensitive data; Second, steal desktop users sensitive information. For cloud services, attackers can exploit cloud services by leveraging their own vulnerabilities or installing malicious applications to exploit them and potentially get associated data that can support horizontal movement within the cloud. For desktop users, an attacker can use the browser side as an attack entry. We are still analyzing and judging the vulnerabilities effect for proprietary equipment.

How likely is the vulnerability to be exploited on a large scale?

Answer: The vulnerability exists the inevitability of large-scale use. Because cloud services are already extensive services that are deeply involved in daily life, a large number of government affairs and business systems give various public cloud constructions, and a large number of industries and enterprises have built private clouds. Therefore, there is a certain necessity for the loopholes to be exploited on a large scale.Whether it can effectively curb vulnerability depends on the speed of bug fixes.For desktop and mobile systems, not only the browser can become an attack entry, a large number of desktop client and mobile APP are actually the browser package, which are vulnerable to pit attacks or traffic hijacking attacks.

Will vulnerability be combined with malicious code attacks it?

Answer: Vulnerability PoC itself is malicious code, and for those resources that attackers have already acquired (such as botnets), there is no doubt that this vulnerability expands the reach of their exploits, which can lead to chain disaster. Attacker could exploit the vulnerability in conjunction with other malicious code, stolen passwords, certificates, and other critical data were used as other attacks, such as using the worm mechanism for horizontal movement, internal service management credentials to launch targeted attacks and more.

The vulnerabilities can effectively prevent it? Is there any way to detect the exploitation of vulnerabilities?

Answer: An effective patch for this vulnerability is the timely installation of patches. For cloud infrastructure operators, we shall race against time. Now this vulnerability monitoring is related to how attackers exploit vulnerabilities, and some are more difficult to monitor; others already have mature solutions. But overall, this vulnerability is something that can be handled and responded to.

Is Intel’s vulnerability related to the ME vulnerability reported earlier by Antiy?

Answer: No, Intel has previously released the ME Vulnerability Security Advisory and Detection Tool, but has nothing to do with the Meltdown and Specter vulnerabilities. However, these vulnerabilities remind us that the current pervasive cyber security threat are very serious.