Advisory January 18, 2018

Meltdown and Spectre attacks

Three CVE entries have been announced for the vulnerabilities titled Spectre and Meltdown which are affecting modern computer processors (Intel, AMD, ARM and Qualcomm processors). The CVE entries are the following:

  • Meltdown: An attacker can access kernel memory from user space
  • Spectre: An attacker can read memory contents from other users’ running programs

While still being under investigation and patches and firmware updates continue to be released, no exploitation of these vulnerabilities has been publicly reported until now. Proof of concept exploit code being developed to exploit these vulnerabilities has been available.

What is the impact of this attack?

CPU hardware implementations of modern processors are vulnerable to side-channel attacks referred to as Meltdown and Spectre. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information (e.g. steal sensitive information from the memory space of another process), still under specific circumstances including:

  • the device being targeted uses specific CPU hardware (Intel, AMD, Qualcomm, or ARM).
  • the attacker must be able to execute their own code (e.g. Javascript) on the device.

What our customers should do as part of mitigation and prevention actions

As patches and firmware updates continue to be released, customers are advised to contact their hardware and software vendors to verify that any patches and firmware updates being released can be applied. Customers may need to apply them to a test infrastructure for verification purpose to avoid any incompatibility issues. Customers who are utilizing a Cloud infrastructure (Amazon, Azure, etc) should contact directly their cloud providers for specific advisories.

The Security Operations Center of Obrela Security Industries has increased its readiness and verbosity over communication to list of suspicious IP addresses, network based attacks, suspicious email attachments/links, suspicious process/command execution and more.

Additionally, customers should:

  • Ensure that anti-malware software is running on all endpoints in the organization and ensure that the software regularly receives malware signature updates.
  • Alert their users to be aware of phishing attempts, i.e. they should not open emails that contain links or attachments from unknown recipients or when the subject or content of the email is unusual to them.
  • Use ad blocking and script disabling software to allow no JavaScript-based browser attacks
  • Ensure blocking any connections to TOR nodes and TOR -related traffic on network