CPU Vulnerabilities “Meltdown” and “Spectre”
2018-01 ATS Security Advisory -CPU Vulnerabilities “Meltdown” and “Spectre
A new class of vulnerability was recently discovered and reported by security researchers. Two specific examples of this vulnerability, called “Meltdown” and “Spectre” can allow an attackerto read any memory content on a computer. This memory may contain information intended tobe kept secret, such as passwords and other sensitive data. In cloud environments, wherecomputing resources are shared, this vulnerability can allow an attacker to read memory onsystems that belong to other tenants. Since this vulnerability affects physical hardware, itcannot be patched directly; it must be mitigated through software. Microsoft, Apple, and theLinux kernel developers have released patches to mitigate this class of vulnerability inWindows, MacOS and Linux, respectively. The available exploits for this vulnerability are onlyconsistently successful against Intel processors.
ATS is currently working to mitigate this vulnerability in all managed systems. Customers hostedin the Azure Cloud are already protected. Operating system vendor patches are being reviewedand deployed to other managed systems.
Modern computer systems isolate memory between various user processes and kernel(operating system) processes. This is an important security feature that prevents a process fromreading or writing arbitrary information from other processes or from the operating systemitself. For example, a photo editing application should not be allowed to read the systemmemory where a password manager application stores secret passwords. Or a web serverservice should not be allowed to read login credentials from kernel (operating system) memory.This feature, implemented by operating systems and supported by specific processor features,strengthens the security of computer systems.
Modern processors use clever techniques to improve performance. One technique,known as “out-of-order execution” allows a processor to look ahead and process instructionsthat would be delayed if processed linearly. For instance, while a process is waiting for data tobe read from a hard drive, it will look ahead and process instructions that are not dependent onthat data. Another technique, known as “branch prediction” allows the processor to guesswhich path a process will take, and then compute the instructions in the guessed path. If theguessed path is wrong, then those instructions are rolled-back with no harm to the integrity ofthe process.
Researchers were able to use the branch prediction and out-of-order execution techniques,along with a known side-channel attack called “FLUSH+RELOAD” to allow a user process to readkernel memory. First, the attacking program requests to read information from kernel memory. The branch prediction and out-of-order execution techniques allow this information to be read.This information is never shared directly with the attacker program, because ofmemory isolation. This information is, however, stored in the processor cache. This processor cache, too, is notdirectly readable by the attacking process. The previously developed“FLUSH+RELOAD” attack allows the attacker process to indirectly deduce the contents of thecache. Ultimately, this allows the attacking process to read kernel memory.
Risk Mitigation Steps Taken by ATS on Behalf of Clients
Microsoft Azure infrastructure VM instances were updated with mitigations before public disclosure of the vulnerabilities. 
Managed Microsoft Windows systems have been updated to protect the operating system, as well as the Edge Browser. In some cases, these patches require firmware updates that are ongoing.
Managed Apple hardware including supported versions iOS and MacOS have been updated with Apple-provided mitigations. 
Managed Ubuntu Linux systems are updated to implement kernel mitigations. 
What Can You Do?
This is a serious issue that affects almost all servers, workstations and laptops. Some tabletsand phones may be affected, as well. ATS will work to mitigate these vulnerabilities to allaffected managed systems. It is important that all systems are updated, including unmanagedand personal devices. Please apply patches to any unmanaged and personal computers.
Feel free to contact firstname.lastname@example.org any questions or concerns. As always, wevalue hearing from our clients about general and specific security concerns so that we canprovide the best possible services.