Chipocalypse Revealed

By Rene Kolga

What has happened?

A security flaw in Intel processors known as Meltdown announced on January 3, 2018 makes it possible to determine the content or layout of protected kernel memory. On the same day, another flaw dubbed Spectre was revealed that also allows access to information in protected memory. Spectre affects Intel, AMD and ARM processors and impacts practically any device with a chip.  

These new security flaws come on the heels of other Intel CPU vulnerability discoveries from 2017, such as the Intel Management Engine (ME) bugs that could potentially lead to full control of devices with certain Intel CPUs. The latest security flaws are even more serious since they can be used to access passwords, login details and other protected information on the majority of chip-powered devices across the world.

How big is the problem?

The problem is more wide ranging than initially thought. These security flaws affect virtually all modern Intel processors made in the past decade, meaning that millions of computers are involved. Spectre could impact cell phones and other devices as well. ARM, whose chip designs are widely used in cell phones and other devices, confirmed that some of its chip architectures are affected, including Cortex-A processors used for many Open Source operating systems, such as Android, Chrome and Linux. ARM stated that this flaw “…could result in data being accessed from privileged memory.”

Cloud environments are also affected—this is in line with one of our 2018 security predictions:

2018 will bring even greater challenges in the security sphere when compared to years past. These challenges could include the first truly massive hack of one of the three largest public cloud providers—Amazon (AWS), Microsoft (Azure) or Google (GCP). A breach of this size could result in a temporary slowdown of cloud adoption worldwide.

If attackers can indeed target hypervisors via this kernel memory access vulnerability, companies will need patching that requires a mass restart of all guest virtual machines and unplanned downtime. This impact cannot be understated. Not only would it affect public clouds, but also all private cloud implementations using Xen or KVM and possibly other hypervisors. Virtualization is the technology that powers the cloud and the majority of servers worldwide. In 2016, server virtualization rates already exceeded 75 percent, according to Gartner. Hypervisor attacks could impact all industries and businesses on a global scale.  

Intel is downplaying the latest security flaws, claiming that “these exploits do not have the potential to corrupt, modify or delete data.” But, they have the ability to affect both confidentiality and availability in the typical Confidentiality, Integrity and Availability (CIA) triad. These are the exact areas where a majority of corporate security issues have occurred in the past few years, resulting in PCI, HIPAA or GDPR fines due to PII/PHI loss and billions of dollars in losses from stolen corporate strategy secrets, confidential financial records and intellectual property.

Why is resolving this flaw such a huge challenge?

Even though Microsoft is promising a patch for Meltdown next Tuesday (and released one for Windows 10 on January 3rd), there’s a lot more to worry about than just slowing down PCs and servers once it’s available. There’s no patch promised yet for Spectre. Plus, there’s no single fix for each flaw; many patches from multiple vendors will be required.  

After patches are made available, it can take weeks, if not months (and in some cases years), to apply patches throughout an organization. Just think about all the challenges—employees on vacation, disconnected machines, powered down systems, and servers with strict change control requirements (where reboot is only allowed once per quarter, if that). Moreover, it appears that organizations will need to implement both operating system patches as well as firmware updates to resolve the CPU security flaw.

Furthermore, it is not uncommon for hackers to attack the solution that fixes the flaws. Whether the fix implements what’s called Kernel Page Table Isolation (KPTI) or something else, eventually new attack vectors will surface. Examples are plenty—whether with DEP or ASLR or UAC technologies—attackers soon developed by-pass techniques.

Won’t my security solutions help?

Security products based on the Negative Security model have trouble addressing the type of logic flaws like Meltdown and Spectre since they need to learn about all the ways it can be exploited and then build brand new “gates” to block them. In some cases, this takes a few hours, but in others it may take weeks, if not months, and still not provide 100% coverage.

This is a fundamental problem of the Negative Security approach that isn’t unique to Meltdown or Spectre. Solutions based on the Negative Security model haven’t addressed previously discovered logic flaws in a timely manner. For example, even a month after Process Doppelganging was publicly disclosed, antivirus products such as Symantec Endpoint Protection (SEP) did not have a fix for this attack vector.

At the moment, no antivirus (AV) or next-generation antivirus (NGAV) vendor can claim full protection against Meltdown or Spectre vulnerabilities, once again highlighting the need for a defense-in-depth approach to endpoint protection and up-to-date OS patching. It is also important to remember that Meltdown and Spectre currently do not have known attack samples in the wild. Based on the Positive Security model, Nyotron is agnostic to exploits and attack methods and, hence, does not need to adapt to emerging threats. Once an attacker tries to use a vulnerability to cause damage (e.g. corrupt/encrypt/delete data), we will block it.

Final notes

Because the initial Microsoft patch updates the deepest areas of an operating system’s kernel, there are possible compatibility issues with antivirus (AV), next-generative antivirus (NGAV) and other security products that operate at the kernel level. To help avoid these issues (which could lead to the infamous Blue Screen of Death making the machine unbootable), the automatic Windows security update checks for a specific registry key before applying the patch.  

Nyotron’s endpoint protection is compatible with Microsoft’s security patch for Windows 10. As soon as Microsoft publishes patches for other OS versions, Nyotron will certify compatibility and update its customers. See the latest information here. If you are using another AV product in addition to Nyotron’s you may need to confirm its compatibility before applying the patch. If you are not using another AV solution and Windows Defender is disabled, you may also need to manually set the required registry key before your system is able to receive the patch automatically.

Contact Nyotron