ContentKeeper security advisory for Meltdown (CVE-2017-5754) and Spectre: (CVE-2017-5753 and CVE-2017-5715) CPU vulnerabilities
Meltdown and Spectre are two related vulnerabilities that are present in nearly all modern processors. They arise from side-channel attacks on some aspects of speculative executions in these chips and can allow a malicious program to read the memory contents of another program running on the same machine. This could allow the theft of privileged information including passwords and sensitive documents.
A general description of both vulnerabilities is provided by Graz University of Technology at https://spectreattack.com/ which also hosts links to two academic papers that describe the vulnerabilities in detail, as well as a list of statements and security notices from hardware and Operating System manufacturers.
A higher-level, non-technical explanation has also been made available at the red hat blog.
Like virtually all modern servers, ContentKeeper Appliances are affected by these vulnerabilities in-so-far as they contain the chips that are vulnerable; However, the practical risks to ContentKeeper devices are low as the attack surface on any ContentKeeper device has been designed from inception to be as small as possible. In order for any vulnerability to be exploited, the attacker must be able to execute malicious code on the device. The ContentKeeper bridge interfaces that interact with the overwhelming majority of Internet-bound network traffic have no vulnerability to a Meltdown or Spectre attack by any actual or theorized method currently known to ContentKeeper Technologies.
ContentKeeper recommends that customers who require a highly secure installation, connect the physically separate ContentKeeper management port to a secure management network or to a single air-gapped management device.
Many companies including ContentKeeper will be releasing patches that aim to reduce or eliminate the risk from these vulnerabilities in the coming weeks and months. Because the updates aim to change low-level system behavior, they can have extremely broad side-effects (especially in relation to CPU performance) and must be very thoroughly tested before release, hence a sensible balance must be struck between haste and the real risk of a successful attack.
The Meltdown and Spectre vulnerabilities are an excellent example of why multi-layered defense strategies are essential. This vulnerability has existed in the wild for over 20 years without becoming publicly known until now. There is no guarantee that it was not privately known for some, or even most of the time it existed, being saved and exploited by spy agencies or cybercriminals. A multi-layered defense architecture goes a long way to preventing exploitation of these vulnerabilities by blocking or mitigating the vectors that are required to execute a successful attack.
Software patches will be made available to reduce the risks posed by Meltdown and Spectre, However, the root problem is embedded in hardware. ContentKeeper expects to see a series of exploits based on these vulnerabilities becoming active in the wild over the medium term, particularly as a result of Spectre Vulnerabilities. At this stage, it seems likely that the ultimate fix will be new processor design. Unfortunately, this means many corporate systems are likely to remain saddled with these vulnerabilities for anywhere from 5 to 10 years.
Once again this clearly illustrates the need to deploy security systems such as ContentKeeper’s Secure Internet Gateway to help protect those systems and other valuable corporate assets.
More details on available patches and remediation will be made available soon.
For more than 20 years, ContentKeeper has delivered comprehensive, accessible web security solutions for global enterprises, educational institutions and government agencies. We enable our customers to protect their networks, users and data from cyber threats while embracing mobile technology, Internet of Things (IoT) and cloud-based services.
About the author: David Wigley Co-Founded ContentKeeper Technologies in 1997 and serves as its Chief Executive Officer. David has many years of experience in software engineering, sales and management within the Computer Security Industry.