Meltdown/Spectre Vulnerability Remediation Starts with Visibility: Absolute Can Help

By: Absolute Security | 1/5/2018

Here we are, just a few days into the New Year, and already headlines are buzzing with news of a pair of serious vulnerabilities. While originally discovered many months ago, by multiple researchers, Meltdown and Spectre were officially publicly disclosed on Tuesday. Widely reported first as an ‘Intel bug’ because the flaw is found in most of the world’s microprocessors, you are virtually guaranteed to be impacted by this one. But before you pull the fire alarm and run, you should consider a few things.

First off, “don’t panic”. These two issues are not actively being exploited in the wild, at least not yet. There is always the possibility that this can change as more and more people put their minds to it, but as of yet, this has not exploded in the wild.

So what are these two issues? Let’s cover each very briefly:

Meltdown: the official CVE for Meltdown is CVE-2017-5754, and impacts virtually every Intel processor manufactured since 1995. As of right now, it is not certain if AMD and ARM processors are also vulnerable, but the researchers behind the discovery believe it is theoretically possible. More research will be done in the coming days and weeks… but expect that most desktops, laptops in your environment will require patching.

So what is it? In a nutshell, Meltdown allows attackers to read physical memory from any unprivileged user process, including kernel memory. How could an attacker take advantage of this? Well, an attacker exploiting Meltdown should be able to dump a computer’s memory and scour it for things like password hashes, private keys, or other useful information that could be use to elevate privileges for the attacker. Think something like Mimikatz, but on steroids.

It may also, just as seriously, be used to allow an attacker to escape a hypervisor or container. If an attack leveraging Meltdown were to target kernel memory shared between a container and the host kernel or kernel sandbox, then they may be able to escape the hypervisor.

Spectre: Spectre has two assigned CVE’s: CVE-2017-5715 and CVE-2017-5753. Unlike Meltdown though, it has already been verified to impact Intel, AMD, and ARM processors, meaning that virtually every modern desktop, laptop, server, cloud server, and smartphone is likely vulnerable. In its most basic terms, Spectre breaks the isolation between different applications or browser instances on a device.

How might an attacker use Spectre? Well, one likely attack would involve using specially-crafted JavaScript in the web browser to read data from other tabs or sandboxes in the browser. This attack would leak browser memory and reveal secrets from another sandbox. All sorts of interesting or sensitive information could be stolen, including private information, and session keys - which would make precautions like two-factor authentication useless.

It could also possibly leak addresses of modules in user space which would bypass Address Space Layout Randomization (ASLR), which could lead to remote code execution (RCE), which as we know, is bad.

A lot of impacted vendors were given this vulnerability information ahead of it becoming public, and have already prepared patches. If patches are already available, it’s critical you evaluate the feasibility of deploying them right away. It is expected that a large number of additional patches will start popping up both out-of-band and as part of next week’s Patch Tuesday. This includes antivirus vendors, who will need to create their own patches to ensure their AV engines do not continue to allow these vulnerabilities to continue.

How Absolute Can Help

The Reach Detection Script for Meltdown and Spectre is now live in the Absolute console for customers with our Resilience and Premium licenses. This script enables Reach customers to efficiently assess their current exposure by providing total endpoint visibility. Customers can leverage the Reach automation engine and script library to query and remediate endpoint vulnerabilities using actionable and authenticated scripts created based on the collective intelligence of other security experts who have addressed the issue successfully. We will also provide customers with supporting documentation and how-to videos to make getting an accurate picture of your environment as easy as possible.

As many additional vendors expect to deploy patches on January 9th, our technical teams will assess each patch and add remediation scripts to the Reach Library next week.

To remain safe and resilient, Absolute also ensures complementary endpoint controls such as CrowdStrike, Carbon Black, Cylance and other agents to self-heal through Absolute Persistence, ensuring they are present and healthy for the most resilient endpoints protection possible.

You need to assess your endpoints, and fast.

Endpoints – and in particular, dark endpoints – are an ever-present danger to organizations so total visibility and situational awareness are crucial. If you can react quickly and remediate affected systems right away, you will be ready for whatever else may come next. And Absolute will be at your side to help you if and when the next “meltdown” happens.

Financial Services