Verodin Update: Meltdown & Spectre

If you are a security professional, you have likely already taken action to defend against the exploits, Meltdown and Spectre, which target critical vulnerabilities in modern CPUs used to speed up processing, including speculative execution and instruction pipelining. A successful exploit can bypass security controls and allow hackers to gain unauthorized access to sensitive data, including passwords, photos, emails and business-critical documents.

The security risks posed by the Meltdown and Spectre exploits are significant, affecting almost every device with a computer chip in it. To make matters worse, the threats are very complicated due to the fact that Meltdown and Spectre differ considerably in form. The hardware bugs are somewhat alike in that they both exploit flaws in modern CPUs and bypass memory isolation in the operating system. However, technically these exploits take fundamentally different approaches, which meltdownattack.com thoroughly describes in two recently published academic papers.

According to a team of security researchers from industry and academia, Meltdown “basically melts security boundaries which are normally enforced by the hardware.” Spectre, on the other hand, “breaks the isolation between different applications.” The name is fitting, “based on the root cause, speculative execution.” The majority of CPUs are vulnerable to one or both of these exploits, including all Intel processors manufactured after 1995. The exploits are designated CVE-2017-5715 and CVE-2017-5754. Apple, Google, Microsoft, and others are advising users to apply operating system patches immediately and to stay abreast of upcoming releases.

Spectre especially is not an easy threat to mitigate. According to researchers, “it will haunt us for quite some time.” Organizations need a system in place to continuously validate that their security controls are effectively defending against this type of emerging threat. Shortly after news of the Meltdown and Spectre exploits broke, the Verodin Behavior Research Team (BRT) published content demonstrating the exploitation of Spectre along with content that determines if a control is capable of preventing the vulnerability from being exploited on Windows endpoints.

The Verodin Security Instrumentation Platform (SIP) empowers customers with the ability to safely challenge and validate their defenses against Meltdown and Spectre exploits. The actions require a Windows Endpoint Actor to execute. Protected Theater is not required. VID A103-091 requires Administrator privileges to execute, or a local/group policy deployed that allows for the execution of Powershell scripts. The Verodin community has access to these updates via their respective portals. See brief descriptions of the Meltdown and Spectre attack behaviors below.

 

CONTENT UPDATE

The actions below can be downloaded from the Content section of the main Product page in the Customer Portal.

VID A103-090: Speculative Execution Exploitation – Spectre Proof Of Concept, CVE-2017-5754 & CVE-2017-5715

An action that runs an executable which takes advantage of speculative execution to read memory in a way that should not be allowed. While this action takes advantage of vulnerabilities, it is not dangerous to run.

VID A103-091: Spectre/Meltdown Vulnerability Check – Powershell, SpeculationControl

An action that uses the SpeculationControl PowerShell module released by Microsoft to check for Spectre/Meltdown vulnerabilities. This action will show as successful if any of the checks performed by the script fail.

Content Availability: In addition to content distributed by the Verodin Behavioral Research Team (BRT), Verodin’s open content platform allows for customers to develop custom actions, evaluations, and sequences as needed with 3rd party attack data. Drag and drop PCAP into the Verodin console and easily weaponize in under five minutes.

 

ABOUT VERODIN

Verodin is the first business platform to measure, manage and improve cybersecurity effectiveness.

The Verodin Security Instrumentation Platform (SIP) empowers enterprises to remove assumptions and prove their security effectiveness with quantifiable, evidence-based data. With Verodin SIP, you can observe and adjust real responses to real attacks without ever putting production systems in danger. Verodin customers dramatically increase the ROI of their existing security investments, achieve maximum value from future spending and measurably mature their cyber prevention, detection and response capabilities.

back to blog