6

Do we have to be worried about Spectre and Meltdown being used for a large scale attack like Wannacry? Even though the patches coming out are being deployed to a most recent systems, there will inevitably be A LOT of systems that won't be patched.

The affected systems range from routers to smartphones to data center servers, not all of them will be updated. If there is a way for meltdown to be abused and chained into anything else that could escalate privileges or other any other attack types, it could be used to hit entire networks if you have even a few unpatched devices.

Being able to snoop kernel memory seems like a huge problem and even if most things get patched, it seems like even a few unpatched systems could compromise everything else on your network. Sounds like this problem is only going to get worse and the performance degrading patches won't be the worst of it.

A. C. A. C.
  • 201
  • 1
  • 2

3 Answers3

6

Wannacry was a remote attack: an attacker could point their exploitation program at another computer over the network and infect it, and could have that infected computer attack others in turn.

Meltdown and Spectre are both local attacks: an attacker needs permission to run code on the target computer in order to perform the attack. Additionally, both are "read-only" attacks: they permit an attacker to read otherwise-protected data, but they don't permit an attacker to modify that data.

Spectre has the additional problem that it requires precise tuning to the CPU, OS, and program being attacked: for example, a Spectre-style attack to retrieve SSL certificates from Apache 2.4.10-10+deb8u11 on Debian Wheezy on a Core i5-8600K might be unable to mis-train the branch predictor on a Ryzen 5-1600, will be looking in the wrong place for Apache 2.4.28 on Gentoo on a Core i5-8600K, and will be completely lost when trying to attack Nginx on Fedora 26 on a Via C7.

The only real threat for large-scale attacks is Spectre-style attacks on web browsers. For example, all copies of Firefox 57 on Windows are identical, so an attacker who puts malicious Javascript on an ad server could reach out of the Javascript sandbox and collect browser passwords with reasonable success.

(Incidentally, routers and most smartphones aren't vulnerable. They tend to use cheap, low-end ARM CPUs, which are too primitive to be affected by either Spectre or Meltdown.)

Mark
  • 34,390
  • 9
  • 85
  • 134
  • 1
    ARM confirmed that pretty much every modern ARM cpu is vulnerable to spectre and most are vulnerable to a specific form of meltdown. Of course very low end stuff isn't using modern CPUs but pretty much all smartphones seem to have some vulnerability and a lot of routers/switches/firewalls are using ARM cores on the affected list ARM put out. – A. C. A. C. Jan 05 '18 at 22:03
  • Also the Javascript attack is exactly the kind of thing that is worrying. Once an attacker gets all the passwords and keys, could they not just remotely log into your system and do what ever they want? – A. C. A. C. Jan 05 '18 at 22:11
  • @A.C.A.C., the Javascript attack can only mass-collect passwords stored in the browser. Reaching outside the browser to get system passwords requires a much more complicated attack, one which probably needs to be tuned to the exact computer being attacked. And remotely logging in requires that you enable remote logins -- remember, the Spectre and Meltdown attacks can only read protected memory, they can't perform disallowed actions. – Mark Jan 05 '18 at 22:20
  • @A.C.A.C.: By my understanding of Spectre, a key requirement is that the processor make use of a value fetched from memory without regard for whether the fetch was valid. I'm curious why processors would allow speculative execution to continue past an invalid memory fetch. Doing so would require processors would need to keep track of when and where the invalid fetch occurred, so they could rewind back to that point, which would seem more complicated than simply having the processor abandon the current line of speculation. – supercat Jan 06 '18 at 00:46
  • 1
    @supercat, a Spectre fetch isn't necessarily invalid, simply one that the program would not have done in a non-speculative environment. For example, no sensible program would use the first byte of a SSL private key to select which byte of a shared-memory mapping it reads, but Spectre could be used to induce the branch predictor to do so speculatively. – Mark Jan 06 '18 at 07:30
  • And since Firefox already mitigated it with its recent patch - timing in JavaScript isn't precise enough anymore - this is more of a threat to server owners and corporations that have homogenous systems deployed. – Steffen Winkler Jan 06 '18 at 12:36
2

Mark touched on the difficulty of executing this attack, particularly at organizational scale. It requires knowledge on the system to be attacked, skill to execute, and time to continue to execute the exploit until sensitive data is gathered. I'll add one other important piece.

From Intel

Intel believes these exploits do not have the potential to corrupt, modify or delete data.

In addition to this from MalwareBytes

Can I detect if someone has exploited Meltdown or Spectre against me? Probably not. The exploitation does not leave any traces in traditional log files.

This suggests that if a major corporation has been hacked using this exploit, they probably do not know yet, and possibly may never know. The attack is very possible, but I wouldn't expect it to make headlines going forward in the way Wannacry has.

Goose
  • 1,394
  • 1
  • 11
  • 17
0

I don't believe it would be beneficial to utilize any of the variants of Spectre or Meltdown as a wide-spread attack. Currently, they only leak memory. If you're lucky, you may be able to dump something like an SSH private key, though this is rare based upon the current research.

As well, one can not gain remote code execution from either of these vulnerabilities. Most wide-spread attacks utilize exploits that will achieve RCE, which is why I do not see Spectre or Meltdown being utilized on a large scale.

Henry F
  • 626
  • 1
  • 6
  • 13
  • Spectre can leak memory from one program to another, or into a sandboxed portion of a program from outside the sandbox, in addition to leaking memory from kernelspace to userspace. – Mark Jan 05 '18 at 23:14
  • @Mark I'm well aware of that. Now, I believe I answered the OP's question in the most direct and precise manner. Care to explain the downvote in the same fashion? Would love to hear what is even remotely incorrect about this answer. – Henry F Jan 06 '18 at 07:04
  • 1
    As it stands *now*, it's okay. The downvote was for the "kernel only" bit, when the greatest threat to the average user is probably the Javascript sandbox violation. – Mark Jan 06 '18 at 07:25
  • @Mark Thank you Mark, that's a great point about the Javascript sandbox violation. – Henry F Jan 06 '18 at 07:59