Serious security flaws caused by "speculative execution" have been found in Intel CPUs from the Pentium Pro onwards, with multiple research teams being credited with the discoveries.
Software patches have been released by both the Linux kernel team and Microsoft; the Linux patch was released last month, and it was expected that there would be an embargo on releasing details of the bug until 9 January, which is when Microsoft releases its monthly updates. Microsoft released a fix overnight. The company also posted information on how it would be securing its Azure customers.
The Meltdown and Spectre attack handling is head scratching for business. CVEs have no CVSS score (how you assess security vulnerabilities), no Microsoft patch, Microsoft guidance link goes nowhere.. how are orgs and consumers supposed to make sense? https://t.co/eIGbuxQnR9
— Kevin Beaumont (@GossiTheDog) 3 January 2018
The bugs have been named Meltdown and Spectre and even have their own logos! A comprehsnive account of the vulnerabilities and a Q and A is available here. Some AMD and ARM processors are also vulnerable to Spectre.
The Linux patch did not even include comments in the code, in order to keep details of the bug quiet.
{loadposition sam08}But security by obscurity rarely works and it did not work in this case either. Google justified breaking the embargo, saying: "We are posting before an originally coordinated disclosure date of January 9, 2018 because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation."
Three exploits were described: bounds check bypass, branch target injection and rogue data cache load.
While both Google's Project Zero team and Intel claimed that the bugs affected CPUs from other manufacturers too, AMD was categorical in saying that its processors were not affected. The Project Zero detailed write-up is here.
Meltdown and Spectre will be a case study in how to totally screw up a vulnerability embargo. I wonder if this will discourage researchers from responsibly disclosing critical vulnerabilities in the future.https://t.co/TBWl49vWGp
— Jake Williams (@MalwareJake) 4 January 2018
Intel said in a media statement: "Recent reports that these exploits are caused by a 'bug' or a 'flaw' and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits."
But AMD's Tom Lendacky wrote in a post to the Linux kernel mailing list: "AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against.
"The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault."
ARM said the majority of its processors were not affected. "The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism," the company said. It provided a list of the processors that it said were affected.
Linux expert Russell Coker told iTWire in response to queries: "Speculative execution is where when a program branches (eg. an 'if' condition) the CPU starts executing the code on the most likely branch and then discards it if the other branch is taken. The bug MIGHT be something like performing speculative execution without adequate access checks such that a hostile application could have an instruction in what the CPU considers the most likely code path after a branch that accesses some memory and then sees what happens when it runs. AMD CPUs apparently don't have the bug in question."
He said there was a reasonable use case for systems that did not need such kernel security. "A significant portion of Linux systems are single-user workstations. For such a system you have one UID that deals with all the data from the Internet (and is therefore at risk of compromise) which also has access to all secrets (Internet banking passwords, GPG keys, ssh keys, etc).
"On such a single-user workstation the UID in question is generally used to access root via sudo or similar, and therefore an attacker who gets that UID can get root with a little patience and not much skill. For such a single user workstation (like the systems most Linux users have on their desktops) the new kernel won't provide any real benefit."
Russell said there were some things that could be done to improve security of single-user workstations. "For starters, encourage users to use a different session for tasks that need root access, even CTRL-ALT-F1 to get a text console will do. Programs that need stored passwords or cryptographic keys (such as mail clients, GPG, ssh clients, etc) could use a proxy running under a different UID to store the secret data so a compromise of the main account wouldn't immediately give everything away.
"Such techniques could make regular user compromise on a single-user workstation inadequate to get all access and therefore make kernel security important for single user systems."
But, he added that the way current Linux workstations were used for single users (i.e. one non-root UID that does everything) meant that root access wasn't important for a hostile party. "By getting access to the regular UID of the user they can read all mail, get ssh and GPG keys, read key presses (Internet banking passwords etc), and do everything else they would want to do. For someone running such a system there probably isn't much benefit in installing a patched kernel."
I disagree with this characterization that it's an arcane flaw that doesn't matter. This is an incredibly important flaw that is forcing a redesign of both CPU hardware and operating-system software that we use. https://t.co/Ucv2hA3meC
— Robert Graham, HODL HODL (@ErrataRob) 3 January 2018
Leaving aside the brilliance of the people that found this Intel bug, may I submit that perhaps coining threat names and invoking cute icons is a gratuitous and disingenuous way to get people to care about an impossibly arcane flaw that they in all likelihood can't do much about?
— briankrebs (@briankrebs) 3 January 2018
Russell was quick to point out that he was not advocating the avoidance of security patches. "Note that I'm not saying 'don't install security fixes'. I'm just noting that a typical home user Linux system has bigger security problems than the potential of a hostile program finding out address space randomisation information to permit other attacks on the kernel."
He said that from what was currently known about this security flaw there was no solid information on it being directly exploitable and it seemed to be merely a way of permitting other exploits.
"But we should consider the possibility that the researchers who discovered this flaw didn't discover all the possible ways of exploiting it," he added.
"It could be that in a matter of days or weeks someone will come out with a more effective exploit which will make this more serious, i.e. direct root access rather than merely extracting data to help other exploits."
Intel shares took a beating after news of the flaws broke, with a fall of as much as 5.5%, the most since October 2016. AMD surged 8.8% on the news while Nvidia went up by 6.3%.