• Support
  • Forums
  • Blogs

Spectre & Meltdown

spdawesspdawes

New Life Form

On January 3rd, 2018, researchers from Google, academic institutions, and private companies publicly revealed two security flaws - Spectre and Meltdown - that exist within nearly every Intel CPU built since 1995. The details of the vulnerabilities are outlined in CVE-2017-5715CVE-2017-5753, and CVE-2017-5754.

AlienVault is aware of the issue and has been actively investigating the risk. As threat intelligence to help detect attacks against the Spectre and Meltdown vulnerabilities is published - whether by AlienVault or through the Open Threat Exchange (OTX) - it will be immediately available to you.

Any exploit of this vulnerability requires the ability for local code execution, which is not possible without administrative access to USM Appliance, and so Spectre and Meltdown represent a low risk to our AlienVault USM customers.

Our recommendations are:

  1. If you have USM Appliances deployed on VMware or Hyper-V, that you ensure that the latest security updates have been applied across your environment

  2. Ensure that controls to restrict and control access to your USM Appliance infrastructure are current

  3. Ensure you regularly update the passwords of root and any privileged user accounts that have local access to hardware with an Intel CPU on a periodic basis

AlienVault will continue to monitor the situation closely and will carefully evaluate any relevant patches made available by Intel and Debian Linux.

Customers with any additional questions or concerns should reach out to AlienVault Support.

bleslie

Share post:

Comments

  • I've been trying to have an authenticated vulnerability scan tell me that one of my servers is vulnerable to these cve's. The windows server hasn't been updated in months, but the vuln scan results doesn't show that vulnerability. I'm updating daily and those cve's are in the threat database. 

    I'd apprecciate any assistance on understanding why I'm not seeing those vulnerabilities. 
  • @ZParker,

    I continued to have the same issues.  So I started asking the same questions.  The irony of the response I received from AV Support kills me.  Keep in mind this is a product that claims Vulnerability Scanning as one of it's primary selling points. 

    Response from AlienVault Support below:

    Begin

    "I have discussed this with Senior Engineers and
    Development.

    In a nutshell:

    We've got five new rules for NIDS plugin and five new
    event types:

    PID:1001, SID:2025184, AlienVault NIDS: "ET
    WEB_CLIENT Spectre Kernel Memory Leakage JavaScript (POC Based)"??

    PID:1001, SID:2025185, AlienVault NIDS: "ET
    WEB_CLIENT Spectre Kernel Memory Leakage JavaScript"

    PID:1001, SID:2025188, AlienVault NIDS: "ET
    WEB_CLIENT Spectre Exploit Javascript"

    PID:1001, SID:2025196, AlienVault NIDS: "ET EXPLOIT
    Possible Spectre PoC Download In Progress"

    PID:1001, SID:2025195, AlienVault NIDS: "ET EXPLOIT
    Possible MeltDown PoC Download In Progress"

    The NIDS signatures that we currently have in place
    detect evidence of the proof of concept javascript in a HTTP stream. To date
    there have been no known exploits in the wild outside the POC but we will
    update our detection if/when that changes.

    With other words, vulnerability scanning will not show
    that given system is vulnerable to Meltdown or Spectre.

    For now, only NIDS will detect if someone is trying to
    exploit this vulnerability."

    End Response

    I was extremely disappointed that a product that boasts Vulnerability Scanning would be this useless in detecting one of the most widely existing vulnerabilities.  If you want to use AlienVault for detection of these vulnerabilities you need to wait until they are exploited.  

    Sorry I had to be the one to pass this information along and you've been waiting for a response. 


  • The network traffic signature works, but the vuln scans aren't even though the threat intel has been updated. I tested the Spectre POC yesterday. These links might be helpful to you when testing. 


  • Hello @zparker

    One of my physical servers in which i ran a Vulnerability assesment actually detected it, but under Internet Explorer:


    Capture
    zparker
  • @KyleKat thanks for sharing. It's worth mentioning my test servers are setting in AWS. 
    KyleKat
  • Yeah thanks Kyle, that is good news.  I just spoke with the Dev and Eng teams at AV yesterday.  They did state that additional signatures were supposed to be published for OpenVas yesterday that would allow discovery through Vulnerability scans.  I haven't seen proof of this yet but if I find any I will respond back and let both you and Z know.    
    KyleKatzparker
  • It doesn't mention Spectre or Meltdown by name but definitely makes a reference to "newly published Intel, AMD vulnerabilities".

    Maybe AV jsut added more definitions that will be specifically for Spectre and Meldown? that'd be nice.
    zparker
  • Could AV engineering provide a list of vulnerability scanning signatures that will detect these vulnerabilities and for what OS flavors? As an MSP we need to reassure our clients that we are detecting it. 
    KyleKat
  • I just received this information from AV Support.  I attempted to run a scan but of course not I'm having a cert issue between the appliance and sensors so I'm going to resolve that first. 

    IF you all beat me to it let me know how you fare with this information:

    AV Support:

    Latest feed update (10:9.0.1-3862) contains more
    detections for vulnerabilities CVE-2017-5715, CVE-2017-5754 and CVE-2017-5753.

    They cover wide range of OSes including Ubuntu.

    Could you please make sure that you have the latest feed
    and then run deep, authenticated scan?

    KyleKat
Sign In or Register to comment.