Meltdown and Spectre Mitigation. By Sathish Damodaran

Similar documents
Meltdown and Spectre - understanding and mitigating the threats

Meltdown and Spectre - understanding and mitigating the threats (Part Deux)

Spectre, Meltdown, and the Impact of Security Vulnerabilities on your IT Environment. Orin Jeff Melnick

Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors

Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors

THREAT PROTECTION FOR VIRTUAL SYSTEMS #ILTACON #ILTA156

Kaspersky Cloud Security for Hybrid Cloud. Diego Magni Presales Manager Kaspersky Lab Italia

Securing the SMB Cloud Generation

White Paper. How the Meltdown and Spectre bugs work and what you can do to prevent a performance plummet. Contents

KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Presentation by Brett Meyer

MRG Effitas 360 Assessment & Certification Programme Q4 2015

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

ESAP. Release Notes Build. Oct Published. Document Version

Trend Micro SMB Endpoint Comparative Report Performed by AV-Test.org

FILELESSMALW ARE PROTECTION TEST OCTOBER2017

Anti-Virus Comparative

How To Remove Xp Internet Security 2011 Virus Manually

How To Manually Uninstall Symantec Antivirus Corporate Edition 10.x Client

Anti-Virus Comparative. Factsheet Business Test (August-September 2018) Last revision: 11 th October

MRG Effitas 360 Degree Assessment & Certification Q4 2017

Securing the Modern Data Center with Trend Micro Deep Security

How To Remove Internet Security Pro Virus. Manually >>>CLICK HERE<<<

Symantec Endpoint Protection 12

BREAKTHROUGH CYBER SECURITY FREQUENTLY ASKED QUESTIONS

ONLINE BANKING: PROTECTION NEEDED INTRODUCING KASPERSKY FRAUD PREVENTION PLATFORM

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

ESAP Release Notes

MODERN DESKTOP SECURITY

Network Performance Test. Business Security Software. Language: English August Last Revision: 11 th October

MRG Effitas Online Banking / Browser Security Assessment Project Q Results

Symantec Endpoint Protection

Webroot SecureAnywhere AntiVirus (2015)

Prevx 3.0 v Product Overview - Core Functionality. April, includes overviews of. MyPrevx, Prevx 3.0 Enterprise,

MRG Effitas 360 Degree Assessment & Certification Q1 2018

To accelerate our learnings, we brought in an expert in CPU side channel attacks. Anders Fogh

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

CloudAV. Malware Analysis in the Network Cloud. Jon Oberheide. University of Michigan. June 12, 2008 MMC '08

ESAP Release Notes. ESAP and Junos Pulse Secure Access/Access Control Service Compatibility Chart:

Norton 360 vs trend micro vs mcafee vs symantec: which anti-virus solution is best

Trend Micro SMB Endpoint Comparative Report Performed by AV-Test.org

ESAP Release Notes

ConRes IaaS Management Services for Microsoft Azure

SE Labs Test Plan for Q Endpoint Protection : Enterprise, Small Business, and Consumer

Symantec Ransomware Protection

Server Protection Buyers Guide

DOCUMENT* PRESENTED BY

Common Technical Issues... 2

Uninstall Trend Micro Officescan Client Without Password Windows 7

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

White Paper. Securing the virtual infrastructure without impacting performance

Disclaimer. This talk vastly over-simplifies things. See notes for full details and resources.

Security Market Intelligence: Security Risks, Compliance Challenges Fuel Security Spend

Dom Nessi Burns Engineering March 29, 2017 CYBERSECURITY TRENDS 2017 REPORT

Infrastructure Blind Spots Continue to Fuel Personal Data Breaches. Sanjay Raja Lumeta Corporation Lumeta Corporation


Anti-Virus Testing and AMTSO

User Experience Review

Manually Remove Of Xp Internet Security Protect Virus Manually

Insecurity in Security Software

McAfee Network Security Platform 9.2

MRG Effitas Online Banking Browser Security Assessment Project Q Q1 2014

Anti-Virus Comparative

Accessing your Check Point VPN

Symantec Antivirus Manual Removal Tool Corporate Edition 10.x

ESAP Release Notes. ESAP and Junos Pulse Secure Access/Access Control Service Compatibility Chart:

PC SECURITY LABS COMPARATIVE TEST. Microsoft Office. Flash. August Remote code execution exploit. mitigations for popular applications

Providing a Rapid Response to Meltdown and Spectre for Hybrid IT. Industry: Computer Security and Operations Date: February 2018

Component Protection Metrics for Security Product Development: CheckVir Endpoint Test Battery

Hypervisor security. Evgeny Yakovlev, DEFCON NN, 2017

Anti-Virus Comparative

Tech Announcement 2018_1

Remove Mcafee Antivirus Plus 2013 Link Version For 90 Days

COMPARATIVE MALWARE PROTECTION ASSESSMENT

ExamSoft Student Handbook

How To Remove Personal Antivirus Security Pro Virus

ESAP Release Notes. ESAP and Junos Pulse Secure Access/Access Control Service Compatibility Chart:

Anti-Virus Comparative No.1

Side Channel Analysis Security issue ANALYST CONSULTATION JANUARY

Manually Remove Of Xp Internet Security Pro Virus Windows 7

MIS Week 6. Operating System Security. Windows Antivirus

How To Remove A Virus Manually Windows 7 Without Antivirus Security Pro

Firewall Antivirus For Windows Xp Avast 2012 With Key

MRG Effitas Android AV review

White Paper SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

Enterprise Ransomware Mitigations

Compare Endpoint Security Solutions Cisco

RTTL Certification Test - March Language: English. March Last Revision: 8 th April

Cyber Security. Our part of the journey

Virtualization Device Emulator Testing Technology. Speaker: Qinghao Tang Title 360 Marvel Team Leader

Virtualization security

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

Disclaimer. This talk vastly over-simplifies things. See notes for full details and resources.

IT Security Survey 2019

10 FOCUS AREAS FOR BREACH PREVENTION

AppDefense Cb Defense Configuration Guide. AppDefense Appendix Cb Defense Integration Configuration Guide

Avg Antivirus Manual Latest Version 2013 For Xp

SMALL BUSINESS ENDPOINT PROTECTION JUL - SEP blog.selabs.uk

CounterACT Security Policy Templates

Transcription:

Meltdown and Spectre Mitigation By Sathish Damodaran

Introduction Meltdown allows attackers to read arbitrary physical memory (including kernel memory) for an unprivileged user process. Meltdown uses out of order instruction execution to leak data via a processor covert channel. Spectre abuses branch prediction and speculative execution to leak data from via a processor covert channel. Spectre can only read memory from the current process, not the kernel or other physical memory Overview CPU hardware implementations are vulnerable to side-channel attacks. These vulnerabilities are referred to as Meltdown (https://meltdownattack.com/) and Spectre (https://spectreattack.com/). Impact Meltdown - privilege escalation On any unpatched system if any attacker can execute process they can dump all (or most) physical memory With physical memory, attackers could identify password hashes, execute a mimikartz style attack on windows or find private keys Spectre leaking browser memory Using javascript (perhaps in an advertisement) spectre attacks could be used to leak browser cache or other saved data that pertains to other sites. CVSS Metrics Group Score Vector Base 1.5 AV:L/AC:M/Au:S/C:P/I:N/A:N Temporal 1.2 E:POC/RL:OF/RC:C Environmental 2.0 CDP:ND/TD:H/CR:H/IR:ND/AR:ND https://www.kb.cert.org/vuls/id/584653 Solution and Workaround Windows Server and Client - antivirus https://support.microsoft.com/en-us/help/4072699/important-information-regarding-the-windowssecurity-updates-released "The compatibility issue is caused when anti-virus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update." ^^ you need to contact your AV provider and check their product is compatible, and make sure they add they key to say so. Otherwise you aren't getting protected. Antivirus support chart 4 th January 2018 Sets Vendor Product key Supported Link

Windows Microsoft Defender Y Y Kaspersky Y Y https://support.kaspersky.co.uk/14042 ESET Y Y "Sophos plans to add Anti-Virus key early and next Sophos Central N N week" https://community.sophos.com/kb/en-us/128053 Fix in Eraser Engine 117.3.0.359 Endpoint - being Symantec Protection Y Y pushed out https://pbs.twimg.com/media/dssraxbvoaedpmr.jpg Trend Micro N See link Manual key setting - link to Webroot N Y come Working on a fix, cannot set key thru usual Cyren F-PROT N N update Due later Anti- today or EMSI Malware N N tomorrow "This is currently not supported - engineering team is Endpoint working on McAfee Protection N N it" Assessing Carbon Black N N impact https://success.trendmicro.com/solution/1119183- importantupdates Assessing Cylance PROTECT N N impact https://pbs.twimg.com/media/dstlkbmw4aamtkv.jpg Requires manual key change CrowdStrike Falcon N Y currently https://pbs.twimg.com/media/dstiqkfwkaapu49.jpg

Fix this evening or BitDefender N N tomorrow Fix pushed yesterday to AVAST Y Y customers Update out now. Legacy products F-Secure SAFE Y Y tomorrow. Windows Server Microsoft guidance for Windows Server: https://support.microsoft.com/enus/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution-s Important note: the patch is disabled by default for performance reasons. To enable the mitigations reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f Linux Server Kernel page table isolation (aka KPTI, aka the KAISER patch) removes the mapping of kernel memory in user space processes Because the kernel memory is no longer mapped, it cannot be read by meltdown. This incurs a non-negligible performance impact https://lwn.net/articles/738975/ Windows Client Microsoft guidance for Windows Client: https://support.microsoft.com/enus/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe Mozilla Firefox Firefox will be adding mitigations for websites trying to exploit in Firefox https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/5 Google Chrome Chrome 64, due late January, will include protection for websites trying to exploit: https://www.chromium.org/home/chromium-security/ssca As a workaround you can enable site isolation, this causes chrome to load each site into its own process so even if same origin policy is bypassed you can steal data from another site

Microsoft Edge and Internet Explorer 11 Microsoft have released an update on 3 rd January which includes protection for websites trying to exploit: https://blogs.windows.com/msedgedev/2018/01/03/speculative-execution-mitigations-microsoft-edgeinternet-explorer/ Amazon AWS - cloud AWS has protected their customers: https://aws.amazon.com/security/security-bulletins/aws-2018-013/ Azure "The majority of Azure infrastructure has already been updated to address this vulnerability. Some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect. Many of you have received notification in recent weeks of a planned maintenance on Azure and have already rebooted your VMs to apply the fix, and no further action by you is required." https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/ Xen hypervisors You want to mitigate these ASAP, particularly if you use hypervisor as a security layer (e.g. bank or cloud provider): https://xenbits.xen.org/xsa/advisory-254.html VMware You want to patch these ASAP if you use hypervisor as a security layer (e.g. a bank or cloud provider). Advisory and patches: https://blogs.vmware.com/security/2018/01/vmsa-2018-0002.html

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback