As we start 2018, security teams are facing two of the most serious security vulnerabilities in recent memory. Meltdown and Spectre are related hardware design exploits that affect almost every modern CPU. These exploits use an architectural technique known as “speculative execution” to read memory locations that are supposed to be reserved for the computer kernel. Both of these vulnerabilities have the potential to expose cryptographic keys, which would place your machine identities at risk.
Why these vulnerabilities are significant
MeltdownCVE-2017-5754) breaks the fundamental isolation barriers between applications run by users and the computer’s operating system; this barrier is normally highly protected. A successful exploit of Meltdown could allow even simple programs, such as the Java script that runs when a browser visits a web page, to access the memory and secrets of other applications and the operating system. Data leaked could include files, passwords and cryptographic keys.
The vulnerability Meltdown exists in almost every Intel processor manufactured after 1995. Furthermore, cloud providers without real hardware virtualization, such as those that rely on containers that share one Docker, LXC, or OpenVZ kernel, are susceptible to Meltdown.
Spectre(CVE-2017-5753 and CVE-2017-5715) breaks the isolation between different applications running on a CPU. A successful exploit could allow an attacker to steal a wide range of sensitive data from otherwise secure, error-free programs including; logins and passwords, credit card and financial data, and cryptographic keys. Ironically, the safety checks used by applications that follow secure coding practices actually increase the attack surface and may make applications more susceptible to Spectre. At present, Spectre has only been shown to break the isolation between user level applications, but it seems likely the attack can be developed further.
Practically every computing device is affected by Spectre, including laptops, desktops, tablets, smartphones and even cloud computing systems. Depending on the architecture of your cloud providers’ infrastructure, attackers may be able to use Spectre to steal data from multiple tenants. Cloud providers that use Intel CPUs and Xen PV as virtualization are particularly susceptible.
Spectre is more difficult to exploit than Meltdown but it is also more challenging to mitigate due to its generality. The original white paper even speculates that significant changes in microprocessor architecture might be needed to fully address the problem.
What’s the risk?
At the moment, there are no known exploits of these vulnerabilities in the wild. However, because of the severity of these vulnerabilities, experts expect that hackers will quickly develop programs to launch attacks now that detailed information is publicly available. We should also assume that these programs will make their way into standard attacker tool kits.
What you should do:
- Patch all systems now
Patches for Meltdown are already available for Windows, Linux, and OS X and application vendors are rolling out patches. There is also work being done to harden software against future exploits of Spectre. We recommend that you monitor the availability of patches for your infrastructure and apply them as soon as they become available.
- Replace all keys and certificates on systems after you have patched
It is important to note, since these vulnerabilities enable the exfiltration of machine identities, we strongly recommend that you rotate your keys once the requisite patches have been applied.
If exploited by attackers these vulnerabilities will enable the exfiltration of key material. The best practice is to replace keys so that if any exfiltration has occurred, it will not enable an attack. A good analogy is an attack on user names and passwords -- if you think passwords could be in the wild you replace the passwords so they can’t be used in an attack.
Meltdown and Spectre are continuing evidence of the need to be able to quickly and automatically replace keys and certificates on a large scale. This capability is essential to maintaining effective management for machine identities, making it foundational to every security strategy and architecture. Are you prepared to rotate large numbers of keys and certificates without disrupting your business?