A Worst Case Scenario
This week it was revealed that a severe vulnerability in a majority of processors has existed for nearly ten years, affecting millions of computers around the world, including all the major cloud providers who rely on Intel chips in their data centers. Essentially, this flaw grants complete access to protected memory, including secrets like passwords, from any program on the exploited computer. Even from the web. This flaw is so serious that allegations have already been made that Intel’s CEO sold millions of dollars of stock in the company after the flaw was found, but before it was revealed to the public, the idea being that a vulnerability of this magnitude would be enough to substantially hurt Intel on the market, even though it affects some ARM and AMD processors as well.
Why It Matters
The Exploits: Meltdown and Spectre
Two main types of exploits affect the processor flaw: Meltdown and Spectre. These methods were nicknamed based on how they work, with one melting down the isolation barrier between application and operating system, and the other a pun on “speculative execution,” which is how the attack tricks otherwise secure programs to leak their secrets.
“Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.”
“Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.”
Proof of concept has already been obtained for executing these attacks against vulnerable systems. Intel has known about this problem for months, however, before revealing it to the public, and worked with cloud providers, software companies, and other entities to begin patching the vulnerability in applications, browsers, and operating systems.
What to Do
Microsoft support has released a thorough guide to patching systems against the exploits. They break remediation down into three steps:
- Ensure current and updated antivirus software is installed and running on the system before installing OS updates and patches. In case a system has already been compromised by malware, AV checks should be run before beginning patching efforts
- Install the newly released (Jan 2018) Windows updates. This will patch the operating system (including browsers Edge and Internet Explorer) against the exploits.
- Install firmware updates for your systems as they become available. Even though the Microsoft OS and browsers have patches, hardware firmware will still need to be updated to resolve the underlying issues.
Microsoft has also provided a simple Powershell module for testing that can be used with the following commands:
PS > Install-Module SpeculationControl
PS > Get-SpeculationControlSettings
This will output something like the following, where True means protected and False means vulnerable:
Speculation control settings for CVE-2017-5715 [branch target injection]
Hardware support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is present: True
Windows OS support for branch target injection mitigation is enabled: True
Speculation control settings for CVE-2017-5754 [rogue data cache load]
Hardware requires kernel VA shadowing: True
Windows OS support for kernel VA shadow is present: True
Windows OS support for kernel VA shadow is enabled: True
Windows OS support for PCID optimization is enabled: True
Microsoft notes that “Customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities.” This means that one patch isn’t enough— a patching strategy that ensures all critical updates have been applied over time is necessary to ensure total coverage against the vulnerabilities.
How UpGuard Can Help
Although the mitigation steps might seem straightforward when working through a single system, following them at the enterprise scale is a bit more difficult. How do you know which systems are vulnerable? How do you track remediation efforts across hundreds or thousands of systems distributed across different cloud vendors and local data centers? How will you know if an unpatched system enters your environment? UpGuard automates the process of finding these answers.
Specifically, UpGuard can automatically query every Microsoft system using the Powershell module mentioned above. The results are then added to the system in UpGuard as actionable information, meaning that policies can be set around them. A policy stating that all systems should be patched can be applied and then run to see which systems still need to be updated. When new systems are added, the Powershell results can be checked as part of the deployment process to ensure that no vulnerable assets are added to the production pool.
More importantly, UpGuard can validate any setting on these systems, including all Windows updates, software versions, open ports, and other critical parts of the configuration state that determine its security.
Despite the scope and severity of this flaw, it is only an indication of the future. Much in the world has come to depend on the technology provided by a handful of private companies. The stakes of cyber attacks are rising along with the increasing digitization of the world. More value can be extracted digitally now than ever before, making cyber risk a key factor in total business risk. The ramifications of the processor vulnerability will extend for years into the future. Right now, almost all exploited vulnerabilities have been known for at least a year. Nearly all of them have patches released. The problem isn’t that software companies, cloud providers, and other technology vendors don’t have a means of patching these vulnerabilities as they come up, it’s that the business processes of patching servers and applications often move slowly, sometimes are broken, and rarely have the controls in place to prevent outdated and dangerous configurations in production.
Hopping from one fix to the next as vulnerabilities are revealed is probably not sustainable for most organizations without a proactive plan to handle such situations. This means first and foremost getting total visibility into the inventory of digital assets and services, how they are configured, and whether those configurations are correct. Without the ability to do this, responding to any new revelation will likely be chaotic and less effective. Cyber resilience is the practice of continuously validating your IT processes and assets to create a secure and reliable environment. UpGuard automates continuous validation, detects important changes, and even handles third party risk— because the vendors you use are subject to the same problems as any IT environment and must be considered an important vector of cyber risk.