There’s been a lot information and chatter about 3 new vulnerabilities identified by researchers with some working exploits by Google’s Project Zero demonstrating a new class of timing attacks that work on most modern CPUs.
First a little background: There are 3 known variants affecting different processors: CVE-2017-5753, CVE-2017-5754, CVE-2017-5715. These can affect Intel, ARM and AMD processors. Since not all vendors have yet issued a patch, U.S. CERT has an alert that is tracking the various vendors here.
It’s safe to say these vulnerabilities affect a very large swath of computing devices (servers, cloud environments, virtual infrastructure and end user compute) which makes it almost impossible to consider a remediation strategy to address all the vulnerabilities across all compute devices simultaneously. There are several important facts to remember when prioritizing which assets to patch/remediate first. The attacker needs the ability to execute code on the asset. This means certain assets are going to be higher risk than others. In large environments we recommend a prioritized risk based approach to remediation.
- Focus on assets that are shared infrastructure such as cloud environments and virtual machines. This is because the threat model here includes attackers running malicious code within their VM to read memory on the host which may include sensitive information from another VM on the same physical host.
- Prioritize assets where users may unintentionally run malicious code. This is especially true for end user devices where browsers may execute malicious code by simply visiting a malicious site, again potentially exposing sensitive information. An important point to consider here is not all vendors have issued a patch. Some products such as Chrome will require a configuration change such as the ones found here.
- Evaluate other shared infrastructure that may be non-virtual but would still allow someone to execute malicious code to expose sensitive information in memory from other users on the host.
Given the breadth of the potential impact the vendor community has responded quickly including OS vendors, cloud vendors, and browser vendors. Many of the responses include patch updates available immediately. That being said, It’s safe to say these vulnerabilities cut across a very large number of assets across enterprises, but if you take a risk-based approach to your remediation effort, you will lessen the likelihood of an incident due to an exploitation.