Meltdown and Spectre Web Application Risk Management
The recently disclosed groundbreaking vulnerabilities have set a precedent for how massive a security vulnerability can be. In the recent years, we have witnessed vulnerabilities that affect major frameworks like Java, PHP, OpenSSL and CGI. We haven’t seen a vulnerability affecting such a fundamental hardware piece in our computers – the CPU – until this day. These vulnerabilities shuffle the cards on all the conventional protection mechanisms that exist in the web today – Same Origin Policy, Cross-Origin Source Sharing, Content Security Policy, et al. The system memory, and IPC (Inter-Process Communication) were considered safe until today, so we could rely on sensitive data residing in memory not leaking outside. Now that the picture has changed, it forces us to think about new attack surfaces. For example, an attacker may host a malicious website that scans the browser memory for data from other websites. If a victim website is still open in another tab, the data on that page may be compromised. Reducing the Attack Surface with “SameSite” Cookie Attribute In order to mitigate some specific attempts of extracting private data, we could consider using the following method. “SameSite” cookie attribute – This attribute, which is already supported by the major browsers, will prevent the browser from sending the cookie in any request which didn’t originate from the same domain. An attacker that would like to “spray” the memory with private data of the victim site could simply create an website that invokes requests or includes iframes pointing to that site. Regardless of the “SameSite” cookie attribute, the attacker would not be able to read the response contents thanks to the SOP (“Same Origin Policy”) mechanism. However, in light of the new vulnerabilities, this trick could result in sensitive data being stored in memory which then could be read by the attacker’s malicious JavaScript. Enabling the “SameSite” cookie attribute will prevent the attacker from controlling authenticated/sensitive data being saved in the memory (no cookie = no session). SameSite attribute is controlled in: Security ›› Application Security : Headers : Cookies List ›› Edit Cookie ›› Insert SameSite AttributeLightboard Lessons: Explaining the Spectre and Meltdown Vulnerabilities
The "Spectre" and "Meltdown" vulnerabilities affect almost every computer in the world. One of the very interesting things about each of these vulnerabilities is that they target the hardware (processor) of the computer rather than the software. Intel is the leading computerprocessor manufacturer in the world, and most Intel processors are vulnerable to both Spectre and Meltdown. Other manufacturers' computer processors are vulnerable as well. These vulnerabilities can allow an attacker to view the entire contents of the memory on a victim's computer. Because so much sensitive data is stored in memory (passwords, personal information, etc), these attacks can be devestating. Watch the video below to learn more about Spectre and Meltdown and how they work. March 21, 2018 UPDATE F5 has released BIG-IP v12.1.3.3 and v13.1.0.4. These versions include fixes for the SPECTRE variant 1 (CVE-2017-5753) and MELTDOWN (CVE-2017-5754) vulnerabilities. The official documentation of these vulnerabilities and details on fixed versions is available from https://support.f5.com/csp/article/K91229003. Related Resources: An in-depth explanation of Meltdown and Spectre Meltdown Attack Whitepaper Spectre Attack Whitepaper Daniel Miessler Blog on Spectre and MeltdownThe DevCentral Chronicles Volume 1, Issue 1
Welcome to 2018! If the kids in the back seat have been chanting, ‘Are we there yet?Are we there yet?’ you can tell them, ‘Yes! Now, Get out the car!’ If, like me, you’ve taken a couple weeks off to enjoy the holidays and New Year, you might be wondering where to start again or what to catch up on. Let me help you. First, the biggest ‘industry’ news so far in this early 2018 has got to be the Spectre and Meltdown vulnerabilities found in computer processors and affects almost every chip (mostly Intel) in the world. From operating systems to chip makers to cloud providers, there’s been a massive effort to get the word out and patch things up. Want to understand the situation better? Check out John Wagnon’s Lightboard Lesson Explaining the Spectre and Meltdown Vulnerabilities. And probably one of the best tweets about the vulnerabilities comes from @infosecgoon According to F5’s David Holmes, Everything old is new again in 2018. And in Return of Bleichenbacher - the ROBOT Attack CVE-2017-6168, David explains the attack, how it affects BIG-IP, how to tell if you are vulnerable and how to mitigate. So, what is the real impact of ROBOT? David notes that the Bleichenbacher attack only affects RSA sessions not protected with the ephemeral keys offered by forward secrecy. All modern browsers and mobile clients have preferred ephemeral keys for several years. As more organizations migrate to the cloud in 2018 – a hybrid one at that, you’ll want to bookmark Chase Abbott’s Welcome to the F5 BIG-IP Migration Assistant. The F5® BIG-IP® Migration Assistant is a tool freely distributed by F5 to facilitate migrating BIG-IP configurations between different platforms. You can use Migration Assistant when you have an existing BIG-IP instance and you want to replace the current hardware with new hardware. Chase gives a great overview of the tool including What can go wrong. Lots of engaging comments on this one and Chase always tells it like it is! Lastly, as we open 2018, DevCentral wants to recognize our newMVPs! The DevCentral MVP Program shines a spotlight on the best, brightest and most active members of our community. We got some new contributors mixed with some old favorites and they are always willing to help with expertise, examples and war stories. Many of the new faces were Featured Members last year so check out their stories like December's Kevin Davies. We got a lot coming in 2018 including more #Basics, Lightboards, Posts of the Week, articles and our always active Q/A forums and Code Share. If you’re a DevCentral member, we appreciate the contributions, if not a DevCentral member, sign up and join one of the most active communities in tech. Welcome to the first DC Chronicles and btw, 2018 will be Year of the Dog, in case you were wondering. ps
