How To Protect Your Business Against Intel Vulnerabilities
As you know, vulnerabilities represent a serious threat when the United States Department of Homeland Security issues a security notice. US-CERT, the United States Computer Emergency Readiness Team issued the following notice:
Intel has released recommendations to address vulnerabilities in the firmware of the following Intel products: Management Engine, Server Platform Services, and Trusted Execution Engine. An attacker could exploit some of these vulnerabilities to take control of an affected system.
Why to Protect?
Using these two vulnerabilities that are caused by the internal chipset architecture itself, a hacker may gain access your whole system, or get a hold on any of your passwords that are stored. This is real and you may lose more than your computer, your whole online funds or crypto currencies account may be in danger.
A Short History
Google’s Project Zero, a team established in 2014 to find zero-day vulnerabilities has discovered one of these vulnerabilities as early as the 1st of June 2017 based on their statements. Google: We reported this issue to Intel, AMD and ARM on 2017-06-01. (project Zero)
From the paper announcing Meltdown, we read that Meltdown is a powerful attack allowing to read arbitrary physical memory from an unprivileged user program, comprised of the building blocks presented in Section 4. First, we discuss the attack setting to emphasize the wide applicability of this attack. Second, we present an attack overview, showing how Meltdown can be mounted on both Windows and Linux on personal computers as well as in the cloud. Finally, we discuss a concrete implementation of Meltdown allowing to dump kernel memory with up to 503 KB/s.
Going Public
The vulnerabilities went public in November, and patches were not available. The news came together with the information that Intel CEO, Brian Krzanich sold most of his Intel stocks prior to the announcement, which made things even fishier – that was 39 million $ in stocks.
The FreeBSD operating system team announced that they were officially notified in December 2017, which will lead to some delays in fixing the issue. That is quite a delay, and I use FreeBSD myself, but fortunately I have an older generation of processors which are not affected. Which takes us to:
Are All Intel Processors Affected?
Short answer: no, but not only Intel processors are affected.
Meltdown affects some ARM processors as well, while Spectre it is presumed may affect AMD processors as well, despite the differences in architecture, but this is not clear at the writing of this article.
The vulnerabilities affect Intel processors with a release date after 2015. These include the following:
- Intel Core processors from the 6th generation (“Skylake”), 7th generation (“Kaby Lake”), & 8th Generation (“Kaby Lake-R” and “Coffee Lake”) families—the processors in most desktop and laptop computers since 2015;
- Multiple Xeon processor lines, including the Xeon Processor E3-1200 v5 & v6 Product Family, Xeon Processor Scalable family, and Xeon Processor W family;
- The Atom C3000 Processor Family and Apollo Lake Atom Processor E3900 series for networked and embedded devices and Internet of Things platforms, and
- Apollo Lake Pentium and Celeron™ N and J series Processors for mobile computing.
What to do?
While it is not yet completely clear that patches remove the vulnerabilities, they do mitigate them. Firmware updates combined with operating system updates is a first step. For cloud protection, you can either reach out to us or follow the instructions released by the virtualization or bare metal cloud providers.
Firmware updates:
Intel released the following to detect any vulnerabilities in your system, and an appropriate firmware update is included. Find the tool and check the instructions. Beware that firmware updates are risky, make sure you have an UPS or a reliable power source, because if the power drops during the update, the hardware is compromised.
You need to update the firmware of your hardware as soon as possible, and handle operating system updates later.
Windows Users:
Please use Windows Update to update your Windows OS. There are some issues regarding several anti-virus programs which may stop Windows from updating. If your update does not go through, check the previous link for instructions and maybe even completely uninstall your anti-virus program in order to properly update Windows.
Linux Users:
For Linux users, things are more complicated. You need to update your kernel to the latest version, and the updates are available only for 4.4, 4.9, 4.14 stable kernels, and for the current 4.15 version.
For previous versions of the kernel there are no patches, but if you use a previous version of the kernel, you have far more vulnerabilities that are more dangerous, well-known and easier to exploit than Meltdown and Spectre.
FreeBSD Users:
Unfortunately, as I previously stated, FreeBSD was announced later than others, and are still working on the patches, we hope they are available soon for both 11 and 10.3 kernel versions.
What Danger Am I In?
The vulnerabilities are real, are architecture not software issues, and will remain there unless addressed.
Not many people know how to use the vulnerabilities and it is not easy to do so, as there is little information, but if someone that knows what they are doing targets you, you may completely lose control over your system, in this case, it is better to be safe than sorry, losing your passwords is a top-level security issue. Contact us today if you have questions about Meltdown, Spectre or any other threats to the security of your business.
Update: January 23, 2018
Intel has told computer manufacturers to stop rolling out its fix for the Spectre CPU flaw.
The advice to stop offering the firmware update comes after the tech giant investigated and found out the patch was causing unexpected reboots on systems with Intel processors. Intel advises to wait for a new firmware update, which is currently under test, and revealed that later this week they will inform the public on when this new fix will be widely available.
