Jarrod Johnson
Ixia Security Researcher
Blog

Verify Spectre and Meltdown vulnerabilities using these ATI strikes

January 17, 2018 by Jarrod Johnson

The technology world has been shaken recently by Spectre and Meltdown, the two major vulnerabilities that literally affect almost ALL chips that are in production. Most intelligent devices need a chip to operate, which means “smart” devices are potentially vulnerable to these two chip flaws. This, of course, effects our PCs, workstations, mobiles, and most IoT devices. Their impact on cloud infrastructure was also a rude awakening for many, who assumed that once they migrate to cloud, they do not have to worry about the nitty-gritty of the underlying hardware. You can find a quick summary and FAQ on both Spectre and Meltdown on this page.

Not the typical network security flaw

On first look, both flaws looked quite low-level, affecting the client CPU rather than being exploited through a regular application. Since most BreakingPoint Application and Threat Intelligence (ATI) exploit network vulnerabilities, these flaws, although very important, didn't look as relevant to become an ATI strike. However, it soon became clear that there is a possibility that the flaws can be exploited through a vulnerable browser using JavaScript.

Most browsers will quickly come out with a patch, however, just like any other browser vulnerability, they are certainly going to live on for some time. This, combined with the multitude of platforms and their browser versions, prompted the ATI team to create a strike that would enable customers to verify if inline security devices can actually block the attack or not.  Below are the brief details of both the strikes that will be included in the next ATI security update.

Meltdown (CVE-2017-5754)

This strike demonstrates the Meltdown bug by allowing the user to test their system (locally) to see if it's vulnerable. The strike sends both binaries as a file transfer, and a customer can use any one of the file delivery methods (like SMTP or HTTP) to transfer the file.  An attacker can actually run the binary on the infected system, and if it is vulnerable to the Meltdown bug, it will display a hardcoded string along with its physical address location in memory. If they are patched for Meltdown, a network security tool should be able to identify the binary through signature or sandbox to identify this behavior and block it.

Spectre (CVE-2017-5753)

Using this server-to-client vulnerability, a malicious server can identify a vulnerable client. The server, in this case, sends a malicious HTML file that includes a JavaScript exploit. The JavaScript is executed in the victim's client browser that, after more transactions, can leak a browser's processor memory.

1
Figure:  Transaction representation of the Spectre vulnerability.

Spectre, more than Meltdown, seems to be a much more severe vulnerability that could possibly be exploited by several malicious websites in the near and distant future. This is why it's key for any security tool to identify any such malicious signatures or patterns even if they are under evasions. Ixia customers can run Spectre (and its variants) through the hundreds of server-to-client, HTTP, IP, TCP. and Ethernet evasions to ensure their security tools block it all the time, every time.

Ixia's ATI team of researchers work around the clock to ensure we keep pace with the continuous flow of incoming malware and vulnerabilities. Keep updated with the continuous delivery of strikes and applications by downloading the latest strikes published in Ixia's download page. You can also subscribe to our ATI/BreakingPoint Newsletter to keep updated with our ongoing activities and learn more about the cool stuff that we are working on.