A major flaw in the way modern CPUs access cache memory could allow one program to access data from another program. The latest security vulnerability affects a majority of systems, if not all, used today. The vulnerabilities are named Spectre and Meltdown and also have a dedicated website.

According to the security advisory, Spectre breaks the isolation between different applications and allows an attacker to expose data once thought to be secure. Meltdown breaks the most fundamental isolation between user applications and the operating system. Both attacks are independent of the operating system and do not rely on any software vulnerabilities. To reduce the risk of compromise, users must apply software patches as quickly as possible.

Side channel attacks

The new bugs are considered side channel attacks since they use side channels to obtain the information from the accessed memory location. Spectre allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel. This unique side channel attack is done by speculative execution, a technique used by high-speed processors in order to increase performance by guessing likely future execution paths and preemptively executing the instructions in them. Spectre takes advantage of this execution and affects all modern processors capable of keeping instructions in flight.

Furthermore, memory isolation is a cornerstone of security and the environment that allows multiple processes to be run on a device. The Meltdown bug allows any application to access all system memory including memory allocated to the kernel and overcomes the memory isolation. The unique side channel attack is one side effect caused by out-of-order execution that is used as a performance enhancement for processors. Meltdown specifically affects every Intel processor on all desktop, laptop and cloud computers except Intel Itanium and Intel Atom before 2013.

Identifying affected systems

Operating system vendors are forgoing regular patch release cycles and publishing operating system patches to address this issue. Tenable.io, SecurityCenter and Nessus can identify affected systems by looking for the newly released patches. Each plugin created for the Spectre and Meltdown vulnerabilities will be marked with at least one of the following CVEs :

  • CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
  • CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
  • CVE-2017-5754: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

To identify which systems are affected using Tenable.io, open the workbench and, using the advanced search, apply a CVE filter (CVE-2017-5753,CVE-2017-5715,CVE-2017-5754) as shown below. In the example filter, each CVE is placed in the field separated using a comma.

Advanced Search

Plugins

When searching for the plugins using CVE you will find several plugins. Please note, as new plugins are available they will be automatically added to the plugin feed.

Vendor Plugin ID Description
Amazon 105517 Amazon Linux AMI : kernel (ALAS-2018-939)
Microsoft 105547 KB4056888: Windows 10 Version 1511 January 2018 Security Update (Meltdown)(Spectre)
Microsoft 105548 KB4056890: Windows 10 Version 1607 and Windows Server 2016 January 2018 Security Update (Meltdown)(Spectre)
Microsoft 105549 KB4056891: Windows 10 Version 1703 January 2018 Security Update (Meltdown)(Spectre)
Microsoft 105550 KB4056892: Windows 10 Version 1709 January 2018 Security Update (Meltdown)(Spectre)
Microsoft 105551 KB4056893: Windows 10 LTSB January 2018 Security Update (Meltdown)(Spectre)
Microsoft 105552 KB4056897: Windows 7 and Windows Server 2008 R2 January 2018 Security Update (Meltdown)(Spectre)
Microsoft 105553 KB4056898: Windows 8.1 and Windows Server 2012 R2 January 2018 Security Update (Meltdown)(Spectre)
Red Hat 105523 RHEL 7 : kernel (RHSA-2018:0007)
Red Hat 105524 RHEL 6 : kernel (RHSA-2018:0008)
Red Hat 105525 RHEL 7 : kernel (RHSA-2018:0009)
Red Hat 105526 RHEL 7 : kernel (RHSA-2018:0010)
Red Hat 105527 RHEL 6 : kernel (RHSA-2018:0011)
Red Hat 105528 RHEL 7 : microcode_ctl (RHSA-2018:0012)
Red Hat 105529 RHEL 6 : microcode_ctl (RHSA-2018:0013)
Red Hat 105530 RHEL 7 : linux-firmware (RHSA-2018:0014)
Red Hat 105531 RHEL 7 : linux-firmware (RHSA-2018:0015)
Red Hat 105532 RHEL 7 : kernel-rt (RHSA-2018:0016)
Red Hat 105533 RHEL 6 : kernel (RHSA-2018:0017)
Scientific Linux 105534 Scientific Linux Security Update : kernel on SL6.x i386/x86_64
Scientific Linux 105535 Scientific Linux Security Update : kernel on SL7.x x86_64
Scientific Linux 105536 Scientific Linux Security Update : microcode_ctl on SL6.x i386/x86_64
Scientific Linux 105537 Scientific Linux Security Update : microcode_ctl on SL7.x x86_64
SUSE 105539 SUSE SLED12 / SLES12 Security Update : ucode-intel (SUSE-SU-2018:0006-1)
SUSE 105540 SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:0007-1)
SUSE 105541 SUSE SLES11 Security Update : microcode_ctl (SUSE-SU-2018:0009-1)
VMware 105485 VMware Fusion 8.x < 8.5.9 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre) (macOS)
VMware 105555 VMware Player 12.x < 12.5.8 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre)
VMware 105487 VMware Workstation 12.x < 12.5.8 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre)
VMware 105486 ESXi 5.5 / 6.0 / 6.5 / Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre) (remote check)

Scanning for vulnerabilities

Tenable.io and SecurityCenter users will receive a new scan policy to run scans targeting Spectre and Meltdown. To create a scan job, go to ‘Scan policy templates’ and select the policy shown in the image below. All of the required plugins are assigned to the policy. You will then need to add credentials for the systems you are targeting. All plugins in the policy require credentials to be executed.

Meltdown Scan Policy

Dashboard

On Jan. 5, SecurityCenter users will have a dashboard available in the feed allowing for easy identification of affected systems. The dashboard will provide two components that use the CVE to group affected systems by Plugin Group and Vulnerability. Each view provides customers with a focused view of systems that need to be patched. The other components show how the customer is progressing with mitigating vulnerabilities based on patch published date.

Spectre and Meltdown Dashboard

Wrapping up

We will continue to research these vulnerabilities, and investigate different ways to detect them. When new information is available, we will release additional plugins. This vulnerability is a real and present danger to all organizations and should be patched immediately. While Microsoft, Red Hat, VMWare and other vendors are making efforts to release patches, organizations are responsible for applying those patches as soon as possible.