What do you call what’s worse than (a) BEAST?
The biggest cyber security news for 2018 has surfaced and so much has been said about the Meltdown and Spectre vulnerabilities already.
The most complete non-technical article I’ve read about this yet is available here
Like the BEAST (SSL) vulnerability, these flaws have widespread applicability and provide the adversary with tremendous opportunity to breach information confidentiality. The similarities stop there though. Unlike BEAST – which impacts software (browsers) – Meltdown and Spectre impact the processor, which is a critical computing component and this in turn affects all operating systems. Suffice it to say that this is much bigger than BEAST in my opinion.
To recap, on affected systems, Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges. This conflicts with the concept of memory isolation – a core computer operating system security feature. As a result of this vulnerability, an adversary can use a malicious program to access the memory space allotted to any other computer program. Scary, isn’t it?
Spectre, on the other hand, involves inducting an unsuspecting user to speculatively perform operations that would not occur during correct program and which leak the victim’s confidential information via a side channel to the adversary.
From a technical standpoint, the two white papers referenced above contain pretty much everything anyone needs to know about these flaws and how they can be exploited. For enterprise defenders and IT departments, however, here are some of the most important things to bear in mind:
- Impact of this vulnerability is confidentiality breach, but the information gathered can be used to breach system integrity and availability, as well as damage the reputation of victim the organization
- Understand your attack surface – this vulnerability is a good reminder of why organizations need to prioritize SANS critical controls 1 and 2
- Your greatest issue “is in the cloud”! Although workstations and servers are equally impacted, bear in mind that most of what the adversary wants resides on servers and most organizations now have some portion of their server infrastructure in the cloud. I imagine that cloud service providers (CSP) will be most targeted in the coming weeks/months/years because of the huge return on effort for the attacker. Owing the the side channel attack vector, the ‘reward’ for the attacker is huge in a multi-tenant environment. To this end, organizations must mandate their CSPs to fulfill their due diligence and due care obligations and obtain assurance that this has been done.
Amazon has come out to state that less than 10% of its Elastic Compute Cloud (EC2) platform is vulnerable, but warned that customers still need to fulfill their own portion of shared responsibility for full protection to be assured.
This is not a vulnerability to be trivialized. The fact that Microsoft and Google went ahead to make public pronouncements outside of their monthly cycles underscores the importance of paying close attention to remediation and how this evolves in the coming week.
With everything said though, it still isn’t time to hit the panic button. Although emergency patches have been released, it is more important to first understand your attack surface within and outside your perimeter, and develop an effective remedial action plan instead of hurriedly applying patches.
The latter only gives you a false sense of security.