Skip to main content

Hitachi

Hitachi Incident Response Team

Hitachi Incident Response Team

HIRT-PUB18001 : Meltdown, Spectre and CPU Vulnerability Variant issues

Last Update: September 10, 2018

In early January 2018, issues known as Meltdown and Spectre were reported as CPU vulnerabilities. Because these vulnerabilities affect many CPUs, such as those manufactured by Intel, AMD, and ARM, and therefore affect many information systems, related information was published from various security vendors, researchers and medias. HIRT-PUB18001 introduces the issues associated with Meltdown and Spectre.

[Update] At the end of May 2018, CPU Vulnerability Variant issues were reported.

[Update] At the middle of June 2018, CPU Vulnerability Variant issues were reported.

[Update] At the middle of July 2018, CPU Vulnerability Variant issues were reported.

[Update] At the middle of August 2018, CPU Vulnerability Variant issues were reported.

1. Overview

Many articles about Meltdown and Spectre use the words "speculative execution".


About Speculative Execution

In order to take maximum advantage of high-speed CPUs, PC are equipped with functionality such as out-of-order execution, which processes instructions as they are able to be processed rather than processing them in order, and branch prediction, which predicts the next choice to be made based on processing history, and performs the predicted processing in advance. This type of functionality is referred to by the general term "speculative execution". Because speculative execution involves performing work in advance, it is effective in increasing the efficiency of processing. However, irregular situations also occur in which the results are ineffective or in which instructions that do not need to be processed are executed, and the results of the processing performed in advance become unnecessary. Exploits such as Meltdown and Spectre can abuse vulnerabilities in this situation. The vulnerabilities came about because the security mechanisms that have existed up to this point did not take into account operations performed during these irregular situations.


Next, we will examine the issues associated with Meltdown and Spectre.


1.1 Meltdown

Meltdown utilizes the functionality that processes instructions as they are able to be processed rather than processing them in order (out-of-order execution) to process data that cannot be accessed without the appropriate permissions, and to execute processing that utilizes such data. By doing so, Meltdown enables information related to data that cannot be accessed without the appropriate permissions to be stored in cache memory, which can be accessed even without permission (Figure 1). Meltdown causes a problem because it allows the execution of processing of data that should not be processed.


Figure 1: [Meltdown] CVE-2017-5754: Rogue Data Cache Load
Figure 1: [Meltdown] CVE-2017-5754: Rogue Data Cache Load


1.2 Spectre

Spectre takes two approaches, both of which utilize the functionality that predicts the next choice to be made based on processing history, and performs the predicted processing in advance (branch prediction). The first approach accesses areas that cannot be accessed without the appropriate permissions while the CPU is checking whether access is being made to areas that should be inaccessible, thereby storing, in cache memory, information related to the data in the inaccessible areas (Figure 2). The other approach exploits the functionality that predicts the memory addresses of branches based on the processing history in order to induce the prediction of the memory addresses of incorrect branches, thereby reading data in areas that should be inaccessible (Figure 3).


Figure 2: [Spectre] CVE-2017-5753: Bounds Check Bypass
Figure 2: [Spectre] CVE-2017-5753: Bounds Check Bypass


Figure 3: [Spectre] CVE-2017-5715: Branch Target Injection
Figure 3: [Spectre] CVE-2017-5715: Branch Target Injection


1.3 CPU Vulnerability Variant issues

RSRE (Variant 3a) is a similar issue of Meltdown. An attacker with local user access may be able to use timing side-channel analysis to determine the values stored in system registers.

SSB, SpectreNG (Variant 4) is issue that systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may read an earlier value of the data.


2. Impact

Table 1: Impact

Date PublicJanuary 30, 2018
NameMeltdown
Variant 3
Spectre
Variant 1
Spectre
Variant 2
VulnerabilityRogue Data Cache Load (CVE-2017-5754)Bounds Check Bypass (CVE-2017-5753)Branch Target Injection (CVE-2017-5715)
ImpactLeakage of information stored in memory
SeverityCVSS:2.0/AV:L/AC:M/Au:N/C:C/I:N/A:N
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected CPUIntel, IBM POWERIntel, AMD, ARM, IBM POWER
Scenarios where attackers may attempt to leverage these vulnerabilitiesCircumvents the address space layout randomization function of the kernel.Attacks against virtualized hosting environments. For example, an attacker might gain access to a host OS from a guest OS.
Attacks via a web browser. For example, sensitive information stored by a web browser could be leaked.


Date PublicMay 21, 2018June 13, 2018
NameRSRE
Variant 3a
SSB, SpectreNG
Variant 4
 
VulnerabilityRogue System Register Read (CVE-2018-3640)Speculative Store Bypass (CVE-2018-3639)Lazy FP state restore (CVE-2018-3665)
ImpactLeakage of information stored in memory
SeverityCVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Affected CPUIntel, AMD, ARMIntel, AMD, ARM, IBM POWER
Scenarios where attackers may attempt to leverage these vulnerabilities


Date PublicJuly 10, 2018
NameBCBS
Spectre 1.1
Spectre 1.2
VulnerabilityBounds Check Bypass Store (CVE-2018-3693)Read-only Protection Bypass
ImpactLeakage of information stored in memory
SeverityCVSS:2.0/AV:L/AC:M/Au:N/C:C/I:N/A:N
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected CPUIntel, AMD, ARM
Scenarios where attackers may attempt to leverage these vulnerabilities


Date PublicAugust 14, 2018
NameForeshadow
Foreshadow-SGX
Foreshadow-OSForeshadow-VMM
VulnerabilityL1 Terminal Fault (L1TF) SGX (CVE-2018-3615)L1 Terminal Fault (L1TF) OS/SMM (CVE-2018-3620)L1 Terminal Fault (L1TF) VMM (CVE-2018-3646)
ImpactLeakage of information stored in memory
SeverityCVSS:2.0/AV:L/AC:L/Au:N/C:C/I:P/A:N
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Affected CPUIntel
Scenarios where attackers may attempt to leverage these vulnerabilities

3. Solution

Table 2: Countermeasure approaches

Date PublicJanuary 30, 2018
NameMeltdown
Variant 3
Spectre
Variant 1
Spectre
Variant 2
VulnerabilityRogue Data Cache Load (CVE-2017-5754)Bounds Check Bypass (CVE-2017-5753)Branch Target Injection (CVE-2017-5715)
Basic countermeasure approachesApply OS updates.Apply application updates.Apply application, OS, and firmware updates.
Firmware updatesIntelApply OS updates.Apply OS and firmware updates.
Facts About the New Security Research Findings and Intel Products
INTEL-OSS-10003INTEL-OSS-10002
AMDNot affectedApply OS updates.Apply OS and firmware updates.
AMD Processors: Google Project Zero, Spectre and Meltdown
ARMVulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
IBM POWERPotential Impact on Processors in the POWER Family
OS updatesWindowsADV180002
Mac Fixed since iOS 11.2.2, macOS High Sierra 10.13.2 Supplemental Update
Red HatKernel Side-Channel Attacks
AndroidAndroid Security Bulletin - January 2018
Android Security Bulletin - April 2018
Android Security Bulletin - May 2018
ChromeFixed since 64.0.3282.144
Virtual environment updatesVMware VMSA-2018-0002, VMSA-2018-0004
VMSA-2018-0007
Red HatHow to patch my RHV environment for Meltdown and Spectre CVE(CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715)?
Browser updatesChrome Fixed since 64.0.3282.119
Actions required to mitigate Speculative Side-Channel Attack techniques
FirefoxFixed since 57.0.4
SafariFixed since 11.0.2
IE/EdgeFixed since KB4056890 and etc.
Mitigating speculative execution side-channel attacks in Microsoft Edge and Internet Explorer


Date PublicMay 21, 2018June 13, 2018
NameRSRE
Variant 3a
SSB, SpectreNG
Variant 4
 
VulnerabilityRogue System Register Read (CVE-2018-3640)Speculative Store Bypass (CVE-2018-3639)Lazy FP state restore (CVE-2018-3665)
Basic countermeasure approaches
Firmware updatesIntelINTEL-SA-00115: Q2 2018 Speculative Execution Side Channel UpdateINTEL-SA-00145: Lazy FP state restore
AMDAMD Processor Security Updates
ARMVulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
IBM POWERPotential Impact on Processors in the POWER Family
OS updatesWindowsADV180013ADV180012ADV180016
Mac
Red HatWhat is CVE-2018-3640?Speculative Store Bypass explained: what it is, how it works
AndroidAndroid Security Bulletin - January 2018
Chrome
Virtual environment updatesVMwareVMSA-2018-0012
Red Hat
Browser updatesChrome
Firefox
Safari
IE/Edge


Date PublicJuly 10, 2018
NameBCBS
Spectre 1.1
Spectre 1.2
VulnerabilityBounds Check Bypass Store (CVE-2018-3693)Read-only Protection Bypass
Basic countermeasure approaches
Firmware updatesIntelINTEL-OSS-10002
AMD
ARMVulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
IBM POWER
OS updatesWindowsADV180002
Mac
Red HatCVE-2018-3693
Android
Chrome
Virtual environment updatesVMware
Red Hat
Browser updatesChrome
Firefox
Safari
IE/Edge


Date PublicAugust 14, 2018
NameForeshadow
Foreshadow-SGX
Foreshadow-OSForeshadow-VMM
VulnerabilityL1 Terminal Fault (L1TF) SGX (CVE-2018-3615)L1 Terminal Fault (L1TF) OS/SMM (CVE-2018-3620)L1 Terminal Fault (L1TF) VMM (CVE-2018-3646)
Basic countermeasure approaches
Firmware updatesIntelINTEL-SA-00161: Q3 2018 Speculative Execution Side Channel Update
AMD
ARM
IBM POWER
OS updatesWindowsADV180018
Mac
Red HatL1TF - L1 Terminal Fault Attack - CVE-2018-3620 & CVE-2018-3646
Android
Chrome
Virtual environment updatesVMwareVMSA-2018-0021VMSA-2018-0020
Red HatL1TF - L1 Terminal Fault Attack - CVE-2018-3620 & CVE-2018-3646
Browser updatesChrome
Firefox
Safari
IE/Edge


In order to resolve the Meltdown and Spectre issues, partial firmware updates are necessary. However, it is also possible to mitigate the threat by updating applications (such as browsers and virtual environments) and OSs, and it will be necessary to thus implement a defense-in-depth. In addition, however, we have received reports not only of the threat of cyberattacks, but also that the countermeasures result in degraded performance and issues with restarting devices. Therefore, operability must be sufficiently considered when implementing these particular vulnerability countermeasures. As a result, when considering the necessity and details of countermeasures (such as whether to update browsers, virtual environments, OSs, and firmware) and the implementation period, it is necessary to take the following into account: (1) the threat status of cyberattacks, (2) performance degradation as a result of countermeasures, and (3) system failures occurring as a result of countermeasures.


(1) The threat status of cyberattacks

The following types of cyberattacks are possible: Attacks against virtual hosting environments (such as access to a virtual hosting environment by accessing the host OS from a guest OS), and attacks via a web browser (such as leakage of sensitive information stored by a web browser. Countermeasures must be prioritized for environments in which one or both of these types of cyberattacks are possible. Although the AV-TEST Institute in Germany reports the discovery of 139 malware samples that exploit the issues dubbed Meltdown and Spectre.


(2) Performance degradation as a result of countermeasures

The actual impact of countermeasures on performance might vary greatly depending on workloads, hardware, devices, and system restrictions. It is important to achieve balance in the trade-off between security and performance, based on already-published materials about the effects of countermeasures on performance, and on the results of verification performed on the actual devices.

  • Windows Client
    Materials published by Intel report a comparatively serious decline in performance, based on benchmarks that assume the use of programs such as Microsoft Office. In addition, materials published by Microsoft report that, for new CPUs that utilize silicon, many users do not notice a change in performance.
  • Windows Server
    Materials published by Microsoft report that, because performance is more seriously impacted, it is important to achieve balance in the trade-off between security and performance.
  • Red Hat
    Materials published by Red Hat report an 8-19% decline in performance, based on benchmarks such as OLTP and database workloads.



(3) System failures occurring as a result of countermeasures

The following failures, such as problems with restarting devices as the result of updates, have been reported. When responding to Meltdown and Spectre issues, it is also important from the perspective of ensuring operational continuity to consider system failures that occur as the result of countermeasures.

  • Microsoft
    If a security update is applied in an environment in which anti-virus software that is not compatible with the security update is installed, the device might become unable to boot.
  • Intel
    On January 1, 2018, a reboot issue (higher system reboots) was reported as having occurred after applying firmware updates. On January 22, an announcement recommended that, based on this reboot issue, the deployment of the problematic version was to be suspended. At the same time, investigation into the trouble continues.



5. References


5.1 Vulnerability Enumeration

This vulnerability has been assigned the following enumeration.


5.2 Related Information

6. Update history

October 29, 2018
  • Update: 4. Hitachi Product Information
September 10, 2018
  • Add: L1TF SGX (CVE-2018-3615), L1TF OS/SMM (CVE-2018-3620) and L1TF VMM (CVE-2018-3646)
August 08, 2018
  • Add: Bounds Check Bypass Store (CVE-2018-3693)
June 18, 2018
  • Add: Lazy FP state restore (CVE-2018-3665)
June 06, 2018
  • Add: IBM POWER
June 01, 2018
  • Change title: "[tutorial] Meltdown and Spectre" to "Meltdown, Spectre and CPU Vulnerability Variant issues"
May 28, 2018
  • Add: Rogue System Register Read (CVE-2018-3640) Variant 3a and Speculative Store Bypass (CVE-2018-3639) Variant 4
April 09, 2018
  • This webpage was created and published.

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)