Meltdown and Spectre

Cisco Talos is aware of three new vulnerabilities impacting Intel, AMD, Qualcomm and ARM processors used by almost all computers. We are investigating these issues and although we have not observed exploitation of these vulnerabilities in the wild, that does not mean that it has not occurred. We have observed publicly available proof of concept exploit code being developed to exploit these vulnerabilities.

These issues have been assigned the following CVE entries:

    Meltdown: An attacker can access kernel memory from user space
        Spectre: An attacker can read memory contents from other users' running programs

            These issues involve side channel and cache attacks that enable an attacker to steal sensitive information from memory space they should not be able to normally access. Google Project Zero published a blog providing technical details regarding these vulnerabilities. An example attack scenario would be an attacker stealing credentials from the memory space of another process. Two criteria must be met in order for these vulnerabilities to be exploited.
              1. The device being targeted must utilize an affected Intel, AMD, Qualcomm, or ARM processor (most processors from the last 10+ years fall into the category of "vulnerable").
              2. An attacker must be able to execute their own code (this includes Javascript) on the device. Depending on the vulnerability, the code may be executed as unprivileged code, or in others, as privileged ("root" or "SYSTEM") code.
                 There are three likely scenarios where attackers may attempt to leverage these vulnerabilities.
                1. Spectre could be leveraged to launch attacks against virtualized hosting environments. Given that it is possible to read host memory from within a guest, this could result in an attacker gaining access to the host OS. This sort of attack scenario mainly impacts cloud hosting providers such as Amazon, Azure, Google, etc. These providers are working to ensure customers are not impacted by these vulnerabilities. Check with your specific hosting provider for additional details. It is important to note that successfully exploiting these vulnerabilities in this scenario is not trivial.
                2. It is important to note that Spectre is accessible from within the web browser on affected devices which could allow malicious web sites to read arbitrary data from other browser tabs. Mozilla has confirmed this on their blog here. This could allow a remote attacker to obtain sensitive information, such as session or cookie data for other active sessions. It is important to note that this sort of an attack would likely only work under specific conditions. This attack would also require an attacker to convince a user to visit a malicious website in order to execute the code required to steal data.
                3. Meltdown could enable attackers to exploit additional vulnerabilities more easily. Meltdown allows for the defeating of Kernel Address Space Randomization (KASLR). This means that any vulnerability that wasn't previously exploitable due to KASLR is now potentially exploitable if chained together with Meltdown. This would be specific to the vulnerability the attacker is attempting to leverage, but from an attacker perspective it does remove some of the hurdles and problems encountered during the creation of their exploits.
                  As with all vulnerabilities, applying published patches is a crucial step to preventing an attacker from successfully exploiting these vulnerabilities. Microsoft, Linux and Apple have released patches for Meltdown. Other affected products are listed here. Applying the Microsoft patch may result in incompatibility issues with existing security software running on your system. To verify your patch status you can use the PowerShell modules provided by Microsoft. For affected Cisco devices please refer to the PSIRT advisory. Currently no patches are available for Spectre. As soon as Operating System patches are available for Spectre, we recommend that you apply them to your system as soon as possible.

                  As with all attacks, it is also critical that the initial infection vector be blocked whenever possible as each of these vulnerabilities require an attacker to be able to execute code on an affected system.

                  Some examples of blocking the initial vector include:

                  1. Using ad blocking and script disabling software can minimize the risk of Javascript-based browser attacks.
                  2. Cisco Umbrella can be used to block access to known malicious sites that may be launching attacks targeting these vulnerabilities.
                  3. Web Security Appliance (WSA) can be used to block access to known malicious sites.
                  4. FirePower NGFW can be used to block network based attacks leveraging these vulnerabilities.
                  5. AMP for Endpoints and Networks can be used to block known droppers that may be used to infect systems with malware that leverages these vulnerabilities.
                  6. AMP's exploit prevention engine covers multiple techniques that would be used after a successful Meltdown or Spectre memory read, that would be necessary for gaining code execution.

                  Coverage


                  Snort SIDs: 45357-45368

                  AMP Compatibility is documented here. AMP's exploit prevention system is documented here.

                  These signatures cover the specific PoC's and sample code outlined in the Spectre and Meltdown whitepapers. While these signatures have the potential to detect variants, they may not work for all cases. We still recommended that affected organizations install the OS and firmware patches to protect against this class of attacks. Talos is continuing to monitor the situation and will provide updated information as soon as it is available.

                  Name

                  .NET 0-day 0day ACDSee Adobe advisory adwind AMP Android Antenna House antivirus apple APT arbitrary code execution Attribution Automation Bahamut BASS beers with talos bitcoin Bitvote Black Hat botnet Brazil BRKSEC-2010 CASC chrome cisco Cisco Live Cisco Security Clam AV ClamAV Cobalt group code injection command injection conferences Coverage cryptocurrency cryptomining CSV CTA CVE-2016-8610 CVE-2017-0199 cve-2017-11882 CVE-2017-5638 CVE-2018-3857 CVE-2018-3858 CVE-2018-3859 CVE-2018-3860 CVE-2018-3870 CVE-2018-3871 CVE-2018-8506 cybercrime dark cloud DDE Decryptor Def Con detection dispute DOC DoS Excel Exploit exploit kits RTF fast flux Flash formbook Foscam Foxit Fuzzing gandcrab google GoScanSSH gozi gplayed GravityRAT Group123 Hangul healthcare HWP Hyland IcedID ICS IDA Pro IMAP incident response India inesap infostealer intel iOS IoT iot malware iPhone IR isfb jRAT JScript kernel mode KevDroid Korea Linux macros MalDoc Malware Malware Analysis Malware Research MDM meltdown meraki Microsoft Microsoft Patch Tuesday Middle East miners mining mobile device management monero Moxa ms tuesday natus NavRAT new router malware NordVPN North Korea nvidia Office office router attack Olympic Destoryer Olympic Destroyer Olympics opsec password stealer patch tuesday PDF phishing PhotoLine PLC podcast pony Powershell privilege escalation ProntoVPN PTEX PubNub PubNubRAT py2exe Pyeongchang pyrebox python Qatar ransomware RAT remcos remote access tool remote code execution research research spotlight reven ReversingLabs Rocke Rockwell Automation ROKRAT rootkit rtf ruby ryptoShuffler samsam samsung Scriptlets security updates sennoma signatures SimpleDirect Media Layer smartthings Smoke Loader Snort Snort Rules Sony South Korea spam spectre spyeye stealer steam struts support Talos TALOS-2017-0507 talosintelligence.com telegrab telegram Tetrane Thanatos ThanatosDecryptor threat intelligence Threat Research Threat Research Summit Threat Round-up Threat Roundup ThreatGrid threats TIFF trickbot trojan TTRS Umbrella ursnif VBScript VMI vpn filter attack VPNFiler VPNFilter VPNFilter malware vuln dev vulndev vulnerabilities Vulnerability vulnerability analysis Vulnerability Report Vulnerability Research vulnerability spotlight vulnerabillity vulnerable routers Whitepaper Windows WindowsCodecs.dll wipers xamarin XSS
                  false
                  ltr
                  item
                  materialize material: Meltdown and Spectre
                  Meltdown and Spectre
                  materialize material
                  https://materialize-material.blogspot.com/2018/01/meltdown-and-spectre.html
                  https://materialize-material.blogspot.com/
                  http://materialize-material.blogspot.com/
                  http://materialize-material.blogspot.com/2018/01/meltdown-and-spectre.html
                  true
                  1816414542238562206
                  UTF-8
                  Not found any posts Not found any related posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU Tag ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Contents See also related Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy