CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Overview of Meltdown and Spectre

You have probably heard the news of new vulnerabilities that affect most major chipsets, including Intel, Arm, and AMD. This means that the vulnerability affects nearly everyone who owns a computing device.

What is the vulnerability?

The vulnerability affects how systems isolate sensitive data in memory. Exploiting the vulnerability could allow an attacker to gain access to data such as passwords, encryption keys, or potentially data from other virtual systems on the same server.

Right now there are two specific vulnerabilities being dubbed Meltdown and Spectre.

Meltdown: This vulnerability is the easiest to exploit and the one getting the most attention. It primarily affects the Intel chipset and is current being addressed with operating system level patches from Microsoft, Apple and various Linux distributions. It works by using a method called "speculative execution" to infer values in protected memories. This vulnerability has been assigned CVE-2017-5754.

Spectre: This is a more generalized attack based on concepts similar to Meltdown and affect Arm and AMD processors in ways that the Meltdown attack can't. This also means that fixes and work arounds for Meltdown will not protect against Spectre attacks. Spectre covers two separate attack vectors which have been assigned CVE-2017-5715 and CVE-2017-5753.

Who is affected?

Basically anyone with a computer. This would include local devices you use like laptop and desktop computers, but also potentially your phones and tablets, as well as IoT devices. It also includes servers and services you may visit as well, most notably cloud systems that offer virtualization. The vulnerability has been verified to work on chipsets going back to at least 2011 and likely affect CPUs going back as far as 1995.

Most at risk right now are systems using the Intel chipset as they are the easiest to exploit, and the first proof-of-concept exploits are being released target Intel. This means that your laptop is probably more at risk than your phone, for now.

How can this be attacked?

To exploit these vulnerabilities, an attacker would need to execute code on a local system. This could be performed in a variety of ways. Being locally logged in, even as a low-level or nearly unprivileged user, would allow the attacker to launch the attack. Attackers could also launch the attack remotely if they can get malicious code executed on a local system. This could take the form of downloaded malware and malware pushed via malicious websites or even through malicious documents.

Has it been attacked "in the wild"?

Nothing has been detected as being exploited in the wild so far. Since these vulnerabilities have been disclosed by security researchers rather than being discovered in an active attack, it's likely that attackers were not aware of these vulnerabilities until everyone else. This will quickly change however, as proof-of-concept exploits are already being written and floated around the internet. It is probably only a matter of time until we see these vulnerabilities exploited in malware and local attacks.

What is the solution?

Since these issues are hardware related and vary widely dependent on specific software, complete fixes will be complex and likely take a while to get here. Luckily while Meltdown is easier to exploit, it's also easier to address. And while Spectre is a harder problem to patch, it is also much harder to exploit (right now).

Currently OS vendors like Microsoft, Apple and Linux are releasing patches that will provide protection against Meltdown attacks. These patches work by removing shared kernel mapping which prevents the ability to predict values in protected memory. Unfortunately, by removing this feature, a lot of processing efficiency is removed as well. This will result in some performance decrease for those systems. What that decrease is will depend on how heavily software relies on this memory access, but current estimates suggest anywhere from a 5%-30% decrease in overall software performance.

Intel has released firmware updates, but some people seem to have a misconception that firmware updates occur as a simple, generic patch that anyone can download. This is far from the truth. The biggest problem with the firmware updates that are being released is that firmware will be vendor and model specific. Intel develops multiple firmware updates for each different chip. These firmware updates are then distributed to the computer vendors like HP and Dell who, in turn, have to test and release them to their customers for each model of computer they sell.

For instance, here's Intel's page on how to get their firmware updates. It basically provides links to the individual computer vendor's site: https://www.intel.com/content/www/us/en/support/articles/000025619/software.html Adding insult to injury, most firmware updates need to be installed directly on the system requiring a person physically in front of the machine. Whether you send every user a USB stick with instructions for installation (and lots of prayer) or you send an IT person to every terminal, you can see how burdensome and complex the process can become. Even figuring out which updates are needed for an enterprise fleet of computers of different vendors and models can be an overwhelming task. Pair this with the need for software patches, like those from MS, Apple and Linux and every company's IT will be in overdrive for the foreseeable future over this issue.

In the meantime, all the things we currently recommend to prevent malware apply here. Avoid suspicious email attachments, documents and websites. Make sure you use long and complex passwords to prevent unauthorized users from accessing your system and keep your software up to date with patches.

Trustwave customers will find detection rules against these vulnerabilities in the following security offerings:

Trustwave Secure Email Gateway (SEG) (which can detect known javascript PoC for Spectre)
Trustwave Vulnerability Scanner (which will detect if the proper patches are in place for Microsoft Windows, Microsoft SQL Server, and VMware ESXi)

Additional resources

FAQ and Technical Documents: https://meltdownattack.com

SpiderLabs will be keeping an eye on these vulnerabilities as more information is released.

[UPDATED 1/5: typo correction, expansion of "What is the solution?" section and addition of "Additional resources" section]
[UPDATED 1/18: section added describing detection rules added to Trustwave products]

Latest SpiderLabs Blogs

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More