Kenna Security is now part of Cisco

|Learn more

The Spectre & Meltdown Vulnerabilities: A Risk Based Approach To Remediation

Jan 5, 2018
Ed Bellis
Chief Technology Officer, Co-founder

Share with Your Network

There’s been a lot information and chatter about 3 new vulnerabilities identified by researchers with some working exploits by Google’s Project Zero demonstrating a new class of timing attacks that work on most modern CPUs.

First a little background: There are 3 known variants affecting different processors: CVE-2017-5753, CVE-2017-5754, CVE-2017-5715. These can affect Intel, ARM and AMD processors. Since not all vendors have yet issued a patch, U.S. CERT has an alert that is tracking the various vendors here.

It’s safe to say these vulnerabilities affect a very large swath of computing devices (servers, cloud environments, virtual infrastructure and end user compute) which makes it almost impossible to consider a remediation strategy to address all the vulnerabilities across all compute devices simultaneously. There are several important facts to remember when prioritizing which assets to patch/remediate first. The attacker needs the ability to execute code on the asset. This means certain assets are going to be higher risk than others. In large environments we recommend a prioritized risk based approach to remediation.

  1. Focus on assets that are shared infrastructure such as cloud environments and virtual machines. This is because the threat model here includes attackers running malicious code within their VM to read memory on the host which may include sensitive information from another VM on the same physical host.
  2. Prioritize assets where users may unintentionally run malicious code. This is especially true for end user devices where browsers may execute malicious code by simply visiting a malicious site, again potentially exposing sensitive information. An important point to consider here is not all vendors have issued a patch. Some products such as Chrome will require a configuration change such as the ones found here.
  3. Evaluate other shared infrastructure that may be non-virtual but would still allow someone to execute malicious code to expose sensitive information in memory from other users on the host.

Given the breadth of the potential impact the vendor community has responded quickly including OS vendors, cloud vendors, and browser vendors. Many of the responses include patch updates available immediately. That being said, It’s safe to say these vulnerabilities cut across a very large number of assets across enterprises, but if you take a risk-based approach to your remediation effort, you will lessen the likelihood of an incident due to an exploitation.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.
DOWNLOAD NOW
eBooks

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...
DOWNLOAD NOW

Videos

Videos

Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...
READ MORE
FacebookLinkedInTwitterYouTube

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.