Monday, 15 January 2018

Meltdown and Spectre(Vulnerabilities in modern computers leak passwords and sensitive data)

The world’s biggest chip-makers and software companies, including Intel Corp. and Microsoft Corp., are coming to grips with a vulnerability that leaves vast numbers of computers and smartphones susceptible to hacking and performance slowdowns.

Google researchers recently discovered that a feature, present in almost all of the billions of processors that run computers and phones around the world, could give cyberattackers unauthorized access to sensitive data -- and whose remedy could drag on device performance.

 Intel said its chips weren’t the only ones affected and predicted no material effect on its business, while Microsoft, the largest software maker, said it released a security update to protect users of devices running Intel and other chips. Google, which said the issue affects Intel, AMD and ARM Holdings Plc chips, noted that it updated most of its systems and products with protections from attack. 

 Meltdown has been the vulnerability that's been getting the most attention because it's readily exploitable, with proof of concept code publicly available.

Spectre, which is actually two related vulnerabilities, also raised some fears when some news sites reported that it's unfixable. That's not exactly true either, according to Masters, although the fix isn't as easy or straightforward as it is with Meltdown.

Meltdown and Specter exploit critical vulnerabilities in modern processors.These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data fromother programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.

This might include your passwords stored in a password manager or browser,
your personal photos, emails, instant messages and even business-critical documents.
Meltdown and Spectre work on personal computers, mobile devices, and in the cloud.
 Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are Software patches against Meltdown.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.

Improvements and fixes By Microsoft 
This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:Addresses issue where event logs stop receiving events when a maximum file size policy is applied to the channel.
Addresses issue where printing an Office Online document in Microsoft Edge fails.
Addresses issue where the touch keyboard doesn’t support the standard layout for 109 keyboards.
Addresses video playback issues in applications such as Microsoft Edge that affect some devices when playing back video on a monitor and a secondary, duplicated display.
Addresses issue where Microsoft Edge stops responding for up to 3 seconds while displaying content from a software rendering path.
Addresses issue where only 4 TB of memory is shown as available in Task Manager in Windows Server version 1709 when more memory is actually installed, configured, and available.
Addresses issue where update installation may stop at 99% and may show elevated CPU or disk utilization. This occurs if a device was reset using the Reset this PC functionality after installing KB4054022.
Security updates to Windows SMB Server, the Windows Subsystem for Linux, Windows Kernel, Security updates to Windows SMB Server, the Windows Subsystem for Linux, Windows Kernel, Windows Datacentre Networking, Windows Graphics, Microsoft Edge, Internet Explorer, and the Microsoft Scripting Engine.

Recommended actions
Customers should take the following actions to help protect against the vulnerabilities:

  1. Apply the Windows operating system update. For details about how to enable this update, see Microsoft Knowledge Base article 4072699.
  2. Make necessary configuration changes to enable protection.
  3. Apply an applicable firmware update from the OEM device manufacturer.
Important Customers who install only the Windows update will not receive the benefit of all known protections.

Windows Server-based machines (physical or virtual) should get the Windows security updates that were released on January 3, 2018, and are available from Windows Update. The following updates are available:

Operating system version
Update KB
Windows Server, version 1709 (Server Core Installation)
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Not available
Windows Server 2008 R2
Windows Server 2008
Not available
In addition to installing the January security update, a processor microcode update is required. This should be available through your OEM.

The Linux vs Meltdown and Spectre Battle Continues
Where are we with fixing the problems? Work is continuing, but the latest update of the stable Linux kernel, 4.14.2, has the current patches. Some people may experience boot problems with this release, but 4.14.13 will be out in a few days.
Patches have also been added to the 4.4 and 4.9 stable kernel trees. But, as Greg Kroah-Hartman added, "This backport is very different from the mainline version that is in 4.14 and 4.15, there are different bugs happening." Still, he said, "Those are the minority at the moment, and should not stop you from upgrading."

Recommended actions
Red Hat Product Security has been made aware of a micro-architectural (hardware) implementation issue affecting many modern microprocessors which can be mitigated in the Linux kernel alone or in combination with a microcode update.
An unprivileged attacker can use this flaw to bypass restrictions to gain read access to privileged memory which would otherwise be inaccessible.  There are three known CVEs for this issue related to Intel, AMD, and ARM architectures - additional vulnerabilities for other architectures also exist, such as POWER (both big and little endian, V8 and V9). For more information, please review the ‘Overview’ and ‘Impact’ tabs on the article below:

The vulnerability has been assigned CVE-2017-5754, CVE-2017-5753 & CVE-2017-5715. This issue was publicly disclosed on Wednesday, January 3, 2018 and is rated as Important.
Kernel Side-Channel Attacks (CVE-2017-5754, CVE-2017-5753, & CVE-2017-5715)

All Red Hat customers running affected products are strongly recommended to update as soon as possible. Errata for each package and product version can be found on the ‘Resolve’ tab of the article above. Impacted products and packages are noted below. A system reboot is required in order for the kernel update to be applied. Additionally, on the 'Diagnose' tab of the vulnerability article, there is a detection script available for download and use to determine if your system is currently vulnerable to this flaw. 

As this issue is related to hardware, and multiple packages are affected in addition to the kernel, kpatches will not be available for mitigation. 
It is important to note that systems may experience some performance degradation after updating the packages and microcode. KCS will be linked in the main article soon that detail this and possible tuning options.
Variant 2 fixes require CPU microcode/firmware to activate. Subscribers are advised to contact their hardware OEM to receive the appropriate microcode/firmware for their processor.

The following Red Hat product versions are impacted:

  • Red Hat Enterprise Linux 5 
  • Red Hat Enterprise Linux 6 
  • Red Hat Enterprise Linux 7

The following packages are impacted:

  • kernel
  • dracut (rhel7)
  • linux_firmware (rhel7) 
  • qemu-kvm 
  • qemu-kvm-rhev 
  • libvirt

Take Action

Red Hat customers running affected versions of the Red Hat products are strongly recommended to update them as soon as errata are available. Customers are urged to apply the appropriate updates immediately.  All impacted products should apply fixes to mitigate all 3 variants; CVE-2017-5753 (variant 1),  CVE-2017-5715 (variant 2), and CVE-2017-5754 (variant 3).

Updates for Affected Products

Apple says Meltdown and Spectre flaws affect all Mac and iOS devices 
Apple said: “All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.”
The company advised customers to download software only from trusted sources such as its iOS and Mac App Stores to help prevent hackers from being able to use the processor vulnerabilities.
In a support document, Apple said that iOS 11.2 released on 13 December, macOS 10.13.2 released on 6 December and tv Os  11.2 released on 4 December all protect against Meltdown for supported devices and that Watch OS did not need updating.

No comments:

Post a comment