Intel has finally commented on rumored Meltdown and Spectre microprocessor bugs that could be used to compromise laptops, PCs, smartphones, tablets and public cloud servers. Multiple hardware and software companies are writing patches to mitigate the hardware issues.
For MSSPs, MSPs and IT service providers, the next few days could involve intense patch management initiatives to safeguard mobile, on-premises and cloud-based customer systems.
According to Reuters, two major bugs require attention:
"The first, called Meltdown, affects Intel chips and lets hackers bypass the hardware barrier between applications run by users and the computer’s memory, potentially letting hackers read a computer’s memory and steal passwords. The second, called Spectre, affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information."
Researchers with Alphabet's Google Project Zero, in conjunction with academic and industry researchers from several countries, discovered the two flaws, Reuters says. You can read Google's full reports on Meltdown and Spectre here.
Chatter about the issues surfaced January 2 on The Register -- though Intel denied a portion of that report involving patch-related performance degradation. That same day, The 2112 Group CEO Larry Walsh, a well-known channel advisor, raised a timely caution flag -- before the news spilled into the mainstream media today. Walsh warned that the bug reports were indeed a big deal for technology companies, partners and IT professionals who maintain systems for end-customers.
Mitigating Meltdown and Spectre: Patch Management Security Advice for MSSPs
So how should MSSPs and MSPs move forward? Datto Chief Information Officer (CISO) Ryan Weeks explained the apparent situation and its potential MSP implications here.
Meanwhile, multiple hardware and software companies are working overtime to mitigate the bugs. Key participants in the software patch development effort include Intel, AMD, ARM, Microsoft, Red Hat and other Linux distribution vendors.
One report suggested the forthcoming software patches will impact processor performance by 5 percent to 30 percent. Intel denied that claim, alleging that customers would see little to no performance degradation once the patches were applied.
Intel's advice to partners and customers:
"Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied."
Red Hat, meanwhile, has issued the following guidance to partners and customers. Red Hat will update that link as more information becomes available, the company said.
Red Hat Ranks the Vulnerabilities
So far, Red Hat's advice addresses three Common Vulnerabilities and Exposures (known as CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754). According to the company's warning:
- CVE-2017-5754 is the most severe of the three. This exploit uses speculative cache loading to enable a local attacker to read the contents of memory. This issue is corrected with kernel patches.
- CVE-2017-5753 is a Bounds-checking exploit during branching. This issue is corrected with a kernel patch.
- CVE-2017-5715 is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software.
“These vulnerabilities (CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754) represent an access restriction bypass flaw that impacts many CPU architectures and many of the operating systems that enable that hardware," Chris Robinson, manager of product security assurance, Red Hat, said in a prepared statement. "Working with other industry leaders, Red Hat has developed kernel security updates for products in our portfolio to address these vulnerabilities. We are working with our customers and partners to make these updates available, along with the information our customers need to quickly secure their physical systems, virtual images, and container-based deployments.”
Awaiting Microsoft and Apple Patches
Meanwhile, Microsoft and Apple (among others) are expected to weigh in with patches in the next few days -- although Apple has not officially commented about the situation.
MSSP Alert recommends that readers closely monitor alerts from Intel, operating system suppliers, and US-CERT.