Last Week, major security vulnerability found in Intel processors, due to which it is now necessary to update your OS like Linux, macOS and Windows.
The performance of new Intel chips with PCID will not change much, but it will still be noticeable. The bug concerns all Intel processors that have been released in the last decade, and it can not be fixed with the usual update. It allows ordinary programs, like browsers, to access at least some of the data that is protected in memory. This exploit can be used by hackers and viruses to obtain your personal information.
The first reports contained only a part of the information. This bug, which was called “Meltdown”, affects only Intel processors that have been released in the last ten years. However, another bug was discovered that threatens AMD and ARM processors, it’s called Specter. This means that all devices with AMD, Intel and ARM processors are under threat.
A researcher from the Project Zero team, Jann Horn, demonstrated how you can access the system memory that needs to be protected. For example, an unauthorized user can read important information from the memory, such as passwords, decryption keys, etc. Tests also showed that using a virtual machine, you can access the physical memory of the computer, as well as the memory of another virtual machine.
To fix a bug, you need to separate the protected memory from user processes using the Kernel Page Table Isolation
Thus, to close the vulnerability, you can simply split the virtual address space of the process and the core of the system. But this greatly slows down the system, since it takes much longer to use system calls. What we see in systems where patches are already installed.
As for Meltdown, which is assigned the number CVE-2017-5754, the Specter vulnerability found in AMD processors has a similar operating principle. It has two identifiers: CVE-2017-5753 and CVE-2017-5715. There, too, the processor foresees which instruction will be executed and stores the result in the cache. But Specter allows only to bypass the restriction on access to the memory of other applications, there is no access to the kernel of the system and it is more difficult to implement it. This vulnerability affects many more processor architectures, not only Intel and AMD but also ARM. Protecting the Specter is not possible simply by adding isolation, it is necessary for each application to protect itself or to permanently reset the cache. That, first, requires recompiling all applications, and secondly, reduces performance. A universal patch from Specter does not exist yet.
How To Protect Against Meltdown And Specter In Linux
Linux developers have worked very hard to solve the problem and this work is still going on. The kernel version 4.14.2 contains all the currently available fixes. A few days later, version 4.14.13 will be released with additional bug fixes. Patches have also been added for stable versions of kernel 4.4 and 4.9, but these patches are very different from the fact that there are 4.14 and 4.15 and close much less problems.
If you use Linux with an older kernel, then there are no patches for you and will not. Greg Kroach-Hartman said that the absence of Meltdown fixes is so insignificant compared to other problems in these kernels that it’s useless to release it. If you use the ARM64 processor, then patches are not available, but they will be available in the 4.15 kernel in a few weeks. For ARM, the fixes will be backed up to branches 3.18, 4.4 and 4.9. All that was written above – solves the vulnerability Meltdown (CVE-2017-5754).
Specter is another story. Universal patches for fixing the Specter yet. This is because all the developers of the kernel worked on solving a more serious problem – Meltdown. And also the developers had insufficient information about what this vulnerability is. Developers will need several weeks to solve these problems. Everything is complicated by the fact that it is not enough to apply one patch at the kernel level, you need to make changes to each application separately. And something tells me that the developers of many products will simply score on all this.
If you use Linux not on x86 or ARM, then be very careful. For other platforms, patches are not yet available and are not foreseen. It is known that not only Intel and AMD chips are vulnerable, but also Power 8, Power 9, System z and SPARC.
As for distributions, Red Hat, CentOS, Ubuntu, Debian, ArchLinux, LinuxMint, OpenSUSE and others have already released patches for protection against Meltdown. You can now upgrade the system or at least the core and be calm about this attack.
sudo apt update && sudo apt full-upgrade
sudo dnf update
sudo yum update
And do not forget to reboot the system after the update. With Specter, everything is much more complicated. Changes at the kernel level, which reduce the likelihood of an attack, already exist in most distributions, so it is advisable to update. As for applications, the developers and maintainers are working on fixes. For correction of meltdown and specter Ubuntu you can follow these pages CVE-2017-5753 and CVE-2017-5715 . At the moment, Firefox 57.0.4 has already been fixed, and to enable protection in Chromium, you need to open the chrome: // flags tab and enable the “Strict site isolation” option :
How To Check The Vulnerability Of The System
You can see whether your system is protected from Meltdown by checking whether kernel isolation is enabled. To do this, you can use several commands:
grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
If the command issues unpatched, then you are still vulnerable. Another command for the same purpose is to look at the configuration file of the running kernel:
zgrep CONFIG_PAGE_TABLE_ISOLATION /proc/config.gz
Or look in the dmesg log:
dmesg | grep "Kernel/User page tables isolation: enabled"
Again, if there is no such line, then isolation is turned off and you are in danger. There is also a script that you can use to test both Specter and Meltdown. To download it you will need git:
git clone https://github.com/speed47/spectre-meltdown-checker.git
chmod +x spectre-meltdown-checker.sh
You can check whether your browser is vulnerable to Specter and Meltdown using this script.
Developers are also people and from time to time they are mistaken. One example of such errors can be considered vulnerabilities Meltdown and Specter. We just have to take care of our security, update the operating system and programs in time to protect our data from intruders. Anyway, now you know how to protect the meltdown and specter.