by Thomas Jefferies
In February 2017, a security researcher and white-hat hacker published information about a set of side-channel/speculative execution attacks that impacted approximately 20 years of Intel and AMD CPUs (among others), allowing for protected memory restrictions to be bypassed by a targeted malicious attack. These vulnerabilities were labeled SPECTRE and MELTDOWN and received a large amount of publicity in Q1 and Q2 2017.
These vulnerabilities targeted the method used by CPUs to handle sharing information between multi-process and multi-thread tasks, and successful exploitation of this vulnerability allowed a threat actor the ability to gain access to portions of protected RAM that otherwise should have been secured by the processor. This vulnerability is a result of how current generation processors handle a feature called SMT – Symmetric Multi-Threading. Intel calls this feature “HyperThreading” and AMD calls this feature “Clustered Multi-Threading.”
Am I at risk? How much at risk?
Though these vulnerabilities gained heavy media attention, thankfully the risk that they caused for most organizations was low – the biggest threat was for cloud service providers or other multi-tenant service providers, as the attack could allow for a tenant to access portions of protected memory – whether that be data from a protected database or information from a separate cloud tenant. As such, the potential existed for client data egress or confidentiality breach, and due to the type of attack, successful execution would leave little to no audit log for forensic analysis after the fact.
Flash forward through 2018 and we’ve seen three new iterations of SPECTRE and MELTDOWN based vulnerabilities, as well as another side-channel execution attack named TLBleed that all allow for the same type of data egress. Each of them leverages SMT in order to obtain unauthorized access to protected memory, and each of them does so in slightly different ways.
OK, but it’s been a year and a half, there MUST be a permanent fix now, right?
Not quite — this brings us to PortSmash, the latest iteration of an SMT focused side-channel execution attack. In November 2018, vulnerability information and proof of concept code were published detailing yet another way to exploit SMT in order to provide access to protected RAM. The mechanism for exploiting the vulnerability is different, but fundamentally the result is the same – unauthorized access to protected RAM by exploiting SMT behavior.
This is crazy – what can we do?
In March 2017, the guidance for resolving this risk was to install software patches and to update the CPU’s microcode by applying a BIOS update provided by the computer’s manufacturer. This continued to be the guidance for most of 2017 and early 2018, patches being delivered as each new side-channel attack was uncovered.
Unfortunately, the software patches were incapable of closing the gap entirely and relied upon computer manufacturers to update the BIOS for thousands of models to fix the error. Computer manufacturers were slow to provide updates for their users, and the continued discovery of new exploits required more and more patches before successful mitigation. With hundreds of thousands of impacted machines in production and slow manufacturer updates, how can any IT team stay ahead of these vulnerabilities? There are a few steps you can take to protect yourself and your users from this threat, and they’re likely easier than you think.
If possible, disable Symmetric Multi-Processing
SMT was touted as a performance benefit in the mid ‘90s and early 2000s when it launched, however at this point the benefits provided by SMT to the average user are minimal – CPUs have increased in power so dramatically since the inception of SMT that the benefits it provides are now minimal in comparison to the security vulnerabilities that the feature provides. Unfortunately, not all hardware models allow for SMT to be disabled, so this isn’t a one-size fits all solution. Additionally, certain workloads still receive a modest benefit from SMT technology, and disabling that feature can cause a decrease in overall CPU performance that might be unacceptable to some businesses.
Patch. Patch, patch, patch.
Patch your endpoints. Patch your servers. Do so quickly, and do so consistently.
Microsoft has consistently pushed software mitigation patches for these exploits at the OS level, as have other pertinent vendors whose clients would be at high risk. Always be on the lookout for critical security updates for business-critical services and for your core OS. Patch all of your endpoints – your servers, your desktops, your laptops. Do so consistently and quickly. Ensure you are including critical BIOS updates in your patching regiment, as these updates provide hardware mitigation for side-channel and speculative execution attacks. iVision’s Server and Device Management team can assist in implementing and managing an end-to-end patching process that covers your entire infrastructure – please reach out if you’d like to start a discussion.
Longer term, don’t worry too much.
The latest AMD and Intel CPUs have hardware mitigation built in.
Intel and AMD have not been sitting idly as this has unfolded – both manufacturers have launched new CPUs that are not susceptible to these attacks. As machines in your environment come off of lease or are replaced otherwise, the potential for your organization to be impacted is reduced. If you’re not a multi-tenant service provider, the mitigation approach provided by patching should be adequate to reduce the risk in your environment.
Though these vulnerabilities continue to gain strong media attention, the reality is that the threat caused by these exploits is minimal for most organizations. If you have any questions or concerns about mitigation of these vulnerabilities or your organization’s potential for exposure, we would be happy to help shed light on how SPECTRE, MELTDOWN, TLBleed, and PortSmash impact your organization’s security posture.