A major flaw in the way modern CPUs access cache memory could allow one program to access data from another program. The latest security vulnerability affects a majority of systems, if not all, used today. The vulnerabilities are named Spectre and Meltdown and also have a dedicated website.
According to the security advisory, Spectre breaks the isolation between different applications and allows an attacker to expose data once thought to be secure. Meltdown breaks the most fundamental isolation between user applications and the operating system. Both attacks are independent of the operating system and do not rely on any software vulnerabilities. To reduce the risk of compromise, users must apply software patches as quickly as possible.
Side channel attacks
The new bugs are considered side channel attacks since they use side channels to obtain the information from the accessed memory location. Spectre allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel. This unique side channel attack is done by speculative execution, a technique used by high-speed processors in order to increase performance by guessing likely future execution paths and preemptively executing the instructions in them. Spectre takes advantage of this execution and affects all modern processors capable of keeping instructions in flight.
Furthermore, memory isolation is a cornerstone of security and the environment that allows multiple processes to be run on a device. The Meltdown bug allows any application to access all system memory including memory allocated to the kernel and overcomes the memory isolation. The unique side channel attack is one side effect caused by out-of-order execution that is used as a performance enhancement for processors. Meltdown specifically affects every Intel processor on all desktop, laptop and cloud computers except Intel Itanium and Intel Atom before 2013.
Identifying affected systems
Operating system vendors are forgoing regular patch release cycles and publishing operating system patches to address this issue. Tenable.io, SecurityCenter and Nessus can identify affected systems by looking for the newly released patches. Each plugin created for the Spectre and Meltdown vulnerabilities will be marked with at least one of the following CVEs :
- CVE-2017-5753: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
- CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
- CVE-2017-5754: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
To identify which systems are affected using Tenable.io, open the workbench and, using the advanced search, apply a CVE filter (CVE-2017-5753,CVE-2017-5715,CVE-2017-5754) as shown below. In the example filter, each CVE is placed in the field separated using a comma.
When searching for the plugins using CVE you will find several plugins. Please note, as new plugins are available they will be automatically added to the plugin feed.
|Amazon||105517||Amazon Linux AMI : kernel (ALAS-2018-939)|
|Microsoft||105547||KB4056888: Windows 10 Version 1511 January 2018 Security Update (Meltdown)(Spectre)|
|Microsoft||105548||KB4056890: Windows 10 Version 1607 and Windows Server 2016 January 2018 Security Update (Meltdown)(Spectre)|
|Microsoft||105549||KB4056891: Windows 10 Version 1703 January 2018 Security Update (Meltdown)(Spectre)|
|Microsoft||105550||KB4056892: Windows 10 Version 1709 January 2018 Security Update (Meltdown)(Spectre)|
|Microsoft||105551||KB4056893: Windows 10 LTSB January 2018 Security Update (Meltdown)(Spectre)|
|Microsoft||105552||KB4056897: Windows 7 and Windows Server 2008 R2 January 2018 Security Update (Meltdown)(Spectre)|
|Microsoft||105553||KB4056898: Windows 8.1 and Windows Server 2012 R2 January 2018 Security Update (Meltdown)(Spectre)|
|Red Hat||105523||RHEL 7 : kernel (RHSA-2018:0007)|
|Red Hat||105524||RHEL 6 : kernel (RHSA-2018:0008)|
|Red Hat||105525||RHEL 7 : kernel (RHSA-2018:0009)|
|Red Hat||105526||RHEL 7 : kernel (RHSA-2018:0010)|
|Red Hat||105527||RHEL 6 : kernel (RHSA-2018:0011)|
|Red Hat||105528||RHEL 7 : microcode_ctl (RHSA-2018:0012)|
|Red Hat||105529||RHEL 6 : microcode_ctl (RHSA-2018:0013)|
|Red Hat||105530||RHEL 7 : linux-firmware (RHSA-2018:0014)|
|Red Hat||105531||RHEL 7 : linux-firmware (RHSA-2018:0015)|
|Red Hat||105532||RHEL 7 : kernel-rt (RHSA-2018:0016)|
|Red Hat||105533||RHEL 6 : kernel (RHSA-2018:0017)|
|Scientific Linux||105534||Scientific Linux Security Update : kernel on SL6.x i386/x86_64|
|Scientific Linux||105535||Scientific Linux Security Update : kernel on SL7.x x86_64|
|Scientific Linux||105536||Scientific Linux Security Update : microcode_ctl on SL6.x i386/x86_64|
|Scientific Linux||105537||Scientific Linux Security Update : microcode_ctl on SL7.x x86_64|
|SUSE||105539||SUSE SLED12 / SLES12 Security Update : ucode-intel (SUSE-SU-2018:0006-1)|
|SUSE||105540||SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:0007-1)|
|SUSE||105541||SUSE SLES11 Security Update : microcode_ctl (SUSE-SU-2018:0009-1)|
|VMware||105485||VMware Fusion 8.x < 8.5.9 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre) (macOS)|
|VMware||105555||VMware Player 12.x < 12.5.8 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre)|
|VMware||105487||VMware Workstation 12.x < 12.5.8 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre)|
|VMware||105486||ESXi 5.5 / 6.0 / 6.5 / Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre) (remote check)|
Scanning for vulnerabilities
Tenable.io and SecurityCenter users will receive a new scan policy to run scans targeting Spectre and Meltdown. To create a scan job, go to ‘Scan policy templates’ and select the policy shown in the image below. All of the required plugins are assigned to the policy. You will then need to add credentials for the systems you are targeting. All plugins in the policy require credentials to be executed.
On Jan. 5, SecurityCenter users will have a dashboard available in the feed allowing for easy identification of affected systems. The dashboard will provide two components that use the CVE to group affected systems by Plugin Group and Vulnerability. Each view provides customers with a focused view of systems that need to be patched. The other components show how the customer is progressing with mitigating vulnerabilities based on patch published date.
We will continue to research these vulnerabilities, and investigate different ways to detect them. When new information is available, we will release additional plugins. This vulnerability is a real and present danger to all organizations and should be patched immediately. While Microsoft, Red Hat, VMWare and other vendors are making efforts to release patches, organizations are responsible for applying those patches as soon as possible.