Securing your company against SPECTRE/MELTDOWN: a pragmatic summary
In January, three vulnerabilities were unveiled that affects modern processors and may reveal private data to attackers.
- CVE-2017-5753 - Bounds Check bypass (Spectre Variant 1)
- CVE-2017-5715 - Branch Target Injection (Spectre Variant 2)
- CVE-2017-5754 - Rogue Data Cache Load (Meltdown)
To know more about the impact of these vulnerabilities, please refer to the spectre/meltdown website.
Many articles, security bulletins, news and papers have been published so far on how these vulnerabilities can be addressed. This article aims to summarize this flow of information and give pragmatic advises.
"End-user devices are the most vulnerable to Spectre and Meltdown as untrusted code can easily run on these devices (in the browser, via a macro or a downloaded executable) and exploit these vulnerabilities. They therefore need to be patched as quickest as possible." Pierre Alexis, Cyber-Security Consultant
To secure end-user device against Meltdown, simply install the latest updates from your OS vendor. All major OS flavours have now patches available (Windows, macOS, Linux, iOS, Android, etc.) with unnoticeable performance impact. Simply apply all latest security updates. For Windows updates, please note that Windows will not install the update as long as your antivirus has not stated that it is ready to support it (through the addition of a key in the Windows registry). Almost all antivirus now trigger this statement (check if it is the case with this list). Please update first your antivirus to make sure the statement is done. If you do not have an antivirus installed, you must trigger this statement by hand (see how to here).
Securing end-user devices against Spectre is a little bit less obvious, as an OS update will not help. Two other mitigations are needed:
For variant 1: all risky applications must patch themselves. The riskiest applications are web browsers. All major web browsers have now been updated to include mitigations against Spectre. Simply update your browsers to the latest version, and keep doing so in the future, as the current mitigations might not be definitive. Performance impacts, while not null, are unnoticeable for the end-user.
For variant 2: the microcode of your processor must be updated, through a BIOS update. Updates are currently not ready as they are still instable and will lead to performance losses (potentially important for developers and technical users). We must therefore wait for a green flag from the processor manufacturers. When ready, updates will most probably be distributed by your hardware manufacturers (HP, Dell, Lenovo, etc.) and/or through OS updates. Check at regular intervals security bulletins on their website.
Case one: your servers reside in your own infrastructure
If your servers reside in your own infrastructure (they are not in a cloud environment shared among multiple customers), the risks of exploitation are relatively low for two main reasons:
- First, untrusted code cannot easily run (generally no browser is installed and used on servers; attackers will first have to gain a direct access to your server to run malicious code).
- Second, as your servers are not running in a shared environment, there is no risk that another customer virtual machine will run a malicious code that will access your virtual machines memory holding private data.
Our advice is therefore not to apply blindly the specific updates for Spectre and Meltdown, as they can lead to performance degradation. First assess the relevance of such updates.
Important note: this recommendation does NOT apply to servers that are used to serve virtual desktops to end-users (Citrix, RDP) or have a GUI installed. Such servers must be considered the same way as “end-user” devices (cf. supra).
Case two: your servers reside in the cloud
If your servers are running in a shared cloud environment, you are more at risk, as another customer virtual machines, residing on the same physical server, could run (intentionally or not) a malicious code that will access your virtual machines memory holding private data.
Our advice: It is therefore important that you check with your infrastructure or cloud provider that patches have been applied on both the host operating system (Windows, Linux, etc.) and the hypervisor software (VMWare, VirtualBox, etc.). All major cloud providers have applied available stable patches (AWS, Google, Azur, OVH), and are following closely the release of new patches or microcode updates.
It is not mandatory to apply patches on your guest OS to isolate your applications from other customers running on the same infrastructure. Our advice is therefore not to apply blindly the specific updates for Spectre and Meltdown, as they can lead to performance degradation. First assess the relevance of such updates.
Conclusion & Summary
Depending on the element in your infrastructure you need to protect, we have summarized our recommandations in a nutshell below
Should you need any advices, please contact us.
About the article and the author:
- The article has been written by Pierre Alexis, Cyber-Security Consultant Approach
- LAST UPDATE OF THIS ARTICLE: February, the 26th 2018.
- This article is about a recently discovered vulnerability. Information may change rapidly as the event progresses. Please visit this page periodically to get the latest update on this topic.
- Disclaimer: this information is shared for informational purpose only and is to be used carefully and does not intend for it to substitute for professional advice provided by our experts.