The document discusses the vulnerabilities known as Meltdown and Spectre, which can lead to privilege escalation and data leakage on Intel, AMD, and ARM CPUs. It outlines the risks associated with these vulnerabilities, recommends mitigation strategies such as OS patches and updated microcode, and emphasizes the importance of measuring and tracking remediation progress. Additionally, it highlights the role of Qualys in helping organizations manage these vulnerabilities with continuous vulnerability detection and remediation dashboards.

1. Avoid Meltdown
from the Spectre
How to measure impact and track remediation
Jimmy Graham
Director of Product Management

2. Agenda
What are Meltdown and Spectre?
What are the risks?
What can I do?
Patching caveats
Spectre/Meltdown Dashboard Demo
2

3. What are Meltdown and Spectre?
3
Meltdown (CVE-2017-5754)
Impacts primarily Intel CPUs
Provides access to all physical memory via a user-mode (ring 3)
process
Results in privilege escalation
Spectre (CVE-2017-5753, CVE-2017-5715)
Impacts Intel, AMD, and ARM
Abuses branch prediction and speculative execution
Results in leaking secret data from victim processes
Difficult to patch

4. Is this a big deal?
These vulnerabilities are getting
attention for a few reasons:
They are a new style of attack, difficult to fully remediate, and
extremely pervasive
This is not the same priority level as EternalBlue / WannaCry —
it is lower
Organizations should balance operational risk with security risk
Understanding impact and having a way to measure the
mitigation progress is key
4

5. What are the risks?
5
Meltdown
An attacker could access all physical memory, including kernel
memory, resulting in privilege escalation
An existing foothold is required for most attacks
This vulnerability can be used in chained attacks
Spectre
The most likely exploit scenario uses JavaScript to escape its
sandbox, allowing attackers access to cookies and session keys
An attack exploiting Spectre is very difficult because the attacker
must first have detailed knowledge of the victim process

6. What can I do?
6
Meltdown
This vulnerability can be almost completely mitigated using KPTI
(Kernel Page Table Isolation) via OS patches
Linux, Windows, and MacOS patches are available
Spectre
Patches are available via software updates and processor microcode
Intel has released microcode updates
Ensuring all browsers are patched will make it very difficult for an
attacker to exploit Spectre

7. Caveats for current Meltdown patches
KPTI (KAISER) may cause performance issues for certain workloads
Antivirus must be updated on Windows for patches to install
Windows Server mitigations are not enabled until a registry key is
manually set
Does not completely remediate the vulnerability, but makes it very
difficult to exploit
Microsoft has stopped distributing the patches to AMD systems due to
stability issues
7

8. Caveats for current Spectre patches
Microcode updates are distributed via standard repositories for Linux
Intel may reissue microcode updates for Broadwell and Haswell
architectures due to system reboots
Windows users must install an updated BIOS to get the patched
microcode (for now?)
Software must be recompiled to utilize the protections in the new
microcode
Browser patches remove high-precision timers, but other methods of
creating timers are being developed
8

9. Recommendations
• Detect vulnerable assets using Qualys VM scans or Agents
• Prioritize patching efforts based on asset risk and exposure
• TEST EVERYTHING
• Make sure 3rd-party antivirus is up to date
• Install browser patches for workstation type-devices
• Patch virtual systems such as Xen, VMWare
• Patch Windows workstations and servers with January patches
• Enable mitigations on servers after testing server workloads
• Install microcode packages for Linux / BIOS updates for Windows
9

10. How can Qualys help?
• Continuously updated vulnerability
detections
• Qualys now has over 75 QIDs to
determine patch state for Spectre and
Meltdown
• Agentless scanning and Agent-based
detections available
• Pre-built Spectre/Meltdown
Dashboard for visibility into
remediation progress
10

11. Spectre/Meltdown Dashboard Demo
11

12. Thank You
qualys.com/trial
jgraham@qualys.com
12