Meltdown and Spectre FUD Watch
We were asked today from a number of colleagues if there any indicators a SIEM or a custom IPS or HIPS that may be able to detect the vulnerabilities. Our advice was two-fold.
1- At this point, it is not weaponized as a known exploit in the wild, there is a proof of concept used by the original finders of the vulnerability.
2- If it was exploitable it would be a local exploit meaning someone will not be able to run code remotely. The caveat here is that exploit code could be executed locally meaning phishing, drive-by web downloads and insider threats are applicable. Mozilla has already stated in their blog that a browser was vulnerable and could have been used to execute code to give information disclosure; that was before they patched it.
How to reduce the fear uncertainty and doubt (FUD)…
Firstly, this problem to us is in the same category as heart-bleed, but without the remote access ramifications. That just means that it’s a media hype and yes it’s a real problem, but there are lots of low hanging fruit that are just easier to exploit than this.
Meltdown is a kernel memory from user space vulnerability problem, which means code from unprivileged users could be used. So all the normal tools techniques and procedures (TTP`s) for detection apply: unknown process event ID 4688/sysmon 1, a handle to an object was requested 4656, an attempt was made to access an object 4663/sysmon 8. All GUID`s belonging to the SYSTEM and Service accounts can be dismissed as the exploit code would be running as the user ID GUID.
Spectre is a memory contents issue, where a user would need to read the memory space of the running program they wish to target. Same indicators as meltdown with the exception if you know the SYSTEM or Service Account GUID running your applications. You can identify the issue if another unknown process in event ID 4663 with a GUID belonging to anything (but your Service Account or SYSTEM) tries to access a handle object name belonging to Cisco VPN Client or Windows LSASS.
Also note, normal issues such as the installation of device drivers or DLL hijacking, could be used to exploit these vulnerabilities as an indirect method or executing code.
The risks are a lot wider than Windows as the exploits affect multiple processes and have little to do with operating systems or application software. From a network or security device perspective, executing the code in user mode or kernel mode will be difficult as they don’t have browsers or email clients; your main risks for malicious intent are interactive devices. Let’s not forget these are information disclosure vulnerabilities, so if a user is none privileged, you look at the risk of the disclosure for things like: credentials, certificates, VPN tokens, etc. Servers don’t browse the internet or open emails.
This is by no means meant to be a full analysis of the issue, we just wanted to give some sensible defusing guidance on the issue instead of doom and gloom media attention, our aim is to reduce the FUD.