Meltdown CPU Vulnerability

A hardware vulnerability in almost all x86-based central processing units (CPU), referred to as Meltdown, may allow an attacker to gain access to information stored in the kernel.

Threat ID:: CC-1895
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 4 January 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A hardware vulnerability in almost all x86-based central processing units (CPU), referred to as Meltdown, may allow an attacker to gain access to information stored in the kernel.

Threat details

It is exploitable on all popular operating systems (OS) and affects all major computer hardware and cloud infrastructure vendors.

Modern OS' use memory isolation to ensure that applications are unable to access each other's memory, for instance to prevent a user process from accessing the kernel. This is a core feature that allows running multiple applications on a single device or executing multiple user processes on a single machine. Contemporary CPUs use a hardware supervisor to map the kernel to the address space of every process in order to efficiently switch between the two. This information is stored in small caches on the CPU for quicker access. These caches can be exploited using a side-channel attack, where the physical information of a system is used to gain access to a cache's contents. These attacks typically require specific knowledge of the targeted process and as such are not widely seen.

Meltdown is a side-channel attack that does not need detailed process information but allows an unauthorised user to obtain a full dump of the kernel address space, including any mapped physical memory. It exploits a vulnerability in the way Intel CPUs implement out-of-order execution, a set of optimisation techniques used in modern CPUs to improve performance. Privileged memory addresses are loaded into temporary CPU registers, where the processor will then execute further calculations based on these registers. If the results of these calculations are not immediately needed they are stored in the CPU caches until they are required. Meltdown attempts to manipulate the memory loading to ensure that the calculated values are always stored in the cache. This means the entire memory contents of a non-privileged process, including the kernel address space linked within it, can be flushed to the cache where it can then be accessed through a side-channel.

Meltdown circumvents both memory isolation and kernel address space layout randomisation (KASLR) features of a system. It exposes the entire physical memory on both Linux and macOS (formerly OS X) and a large portion of it on Windows. The data accessible using this exploit includes personal information, credentials and data stored on a virtual machine.

For further information and technical analysis:

Threat updates

Date	Update
1 Feb 2018	AV-Test, a German antivirus testing company, has released hashes of a number of samples, claiming they are the first evidence of possible malware exploiting the Meltdown and Spectre vulnerabilities. All samples appear to be JavaScript-based web browser attacks based on one of the previously released proof-of-concept attacks.

Remediation advice

All vendors have released or have planned patches to remediate Meltdown. Intel have stated that there may be some performance degradation dependant on the type of CPU and workload. It is recommended that you contact your vendors for further guidance and check the performance impact before applying any updates. It has also been confirmed that the KAISER KASLR workaround protects against Meltdown.

Remediation steps

Type	Step
	Hypervisors and other virtualisation or containerisation systems. Web browsers Desktop devices Personal or mobile devices All other systems should be patched using your standard process. A list of vendor information is given below. Note: this list may not be current or comprehensive. Amazon AMD Android Apple ARM CentOS Chromium Cisco Citrix Debian Dell F5 Fedora Google Google Project Zero HP Huawei IBM Intel Lenovo Linux McAffee Microsoft Microsoft Azure Mozilla NVIDIA OpenSuSE Red Hat RISC-V SuSE Synology Trend Micro Ubuntu VMware Xen Update 19 Jan 2018 The media attention surrounding the Meltdown and Spectre vulnerabilites poses an opportunity for attackers, providing new delivery vectors and social engineering methods. Fraudulent updates have been observed that claim to remediate these vulnerabilites. These patches are being used as an infection path for other malware, such as Smoke Loader, and do not fix or mitigate the vulnerabilites. It is likely that there will be further instances of this as organisations look to patch in the coming months Users are reminded that only vendor-issued patches are able to remediate Meltdown and Spectre. Update 23 Jan 2018 New guidance has been issued by Intel recommending users to cease deployment of patches related to Meltdown and Spectre. It has been discovered that these updates were causing unstable boot behaviour on affected devices and Intel has now removed all available patches until they can rectify this issue. More information can be found here. Update 01 Mar 2018 Intel have released new microcode for select Broadwell and Haswell chips. More information can be found here.

Type

Step

Hypervisors and other virtualisation or containerisation systems.
Web browsers
Desktop devices
Personal or mobile devices

All other systems should be patched using your standard process.

A list of vendor information is given below. Note: this list may not be current or comprehensive.

Update 19 Jan 2018

The media attention surrounding the Meltdown and Spectre vulnerabilites poses an opportunity for attackers, providing new delivery vectors and social engineering methods. Fraudulent updates have been observed that claim to remediate these vulnerabilites. These patches are being used as an infection path for other malware, such as Smoke Loader, and do not fix or mitigate the vulnerabilites. It is likely that there will be further instances of this as organisations look to patch in the coming months

Users are reminded that only vendor-issued patches are able to remediate Meltdown and Spectre.

Update 23 Jan 2018

New guidance has been issued by Intel recommending users to cease deployment of patches related to Meltdown and Spectre. It has been discovered that these updates were causing unstable boot behaviour on affected devices and Intel has now removed all available patches until they can rectify this issue.

More information can be found here.

Update 01 Mar 2018

Intel have released new microcode for select Broadwell and Haswell chips. More information can be found here.

CVE Vulnerabilities

Status

CVE-2017-5754

Last edited: 17 February 2020 12:48 pm