Security Alert
Jonathan Crowe
Apr 2018

Alert: Working Exploit Released for "Total Meltdown" Bug Introduced by Microsoft

microsoft-total-meltdown-vulnerability

Microsoft's fix for Meltdown inadvertently created an even bigger security hole. Now a working exploit is available on GitHub. Find out if you're vulnerable and what to do next.

Key Details

  • What's happening: When Microsoft released patches to address Meltdown in January, it inadvertently created a bigger problem — a vulnerability researchers called "Total Meltdown." Now, working proof-of-concept code for exploiting Total Meltdown has been posted to GitHub, available to one and all.  
  • Why is this bad? Whereas Meltdown theoretically allowed unprivileged applications to gain read access to kernel memory, Total Meltdown allows any process to read and write any memory in the system (e.g. kernel and/or other applications). It essentially gives attackers complete access and control over a compromised system.
  • Who is affected? Total Meltdown only affects Windows 7 or Server 2008 R2 64-bit systems that have applied Windows patches released in January, February, and March but that have not applied April updates (for more details, see the chart included later in this post).
  • What to do: If you've determined you have vulnerable systems, it's important to apply the latest April patches (KB4093118 or KB4088881). Alternatively, you can also consider rolling back the January, February, and March updates, though that will leave systems vulnerable to the other flaws those updates addressed. 
  • The clock is ticking: No attacks have been spotted yet, but with PoC code available it's only a matter of time before Total Meltdown is exploited in the wild.
  • Barkly customers: You are protected Barkly blocks this specific proof-of-concept exploit by preventing token stealing. Other working exploits are sure to follow that utilize different techniques, but in the meantime, we can confirm Barkly customers are protected (and therefore have more time to patch properly).
  • empty
  • empty

Barkly blocks this PoC exploit
Watch the video

Remember the simpler days? Before Meltdown and Spectre turned patching Windows systems into a complete mess? 

This week the saga took yet another turn when researcher XPN shared working proof-of-concept code that successfully exploits Total Meltdown (CVE-2018-1038) by posting it on GitHub

For those of you keeping score at home, Total Meltdown isn't the original Meltdown vulnerability (CVE-2017-5754), it's the vulnerability Microsoft inadvertently created while trying to fix the original Meltdown bug. Because, yes, that unfortunately really is a thing that happened

You can find details on the new proof-of-concept exploit and whether or not you may be vulnerable to it or future Total Meltdown exploit attempts below, but first, a little background for those who need it. 

What is Total Meltdown?

Total Meltdown (CVE-2018-1038) is a vulnerability discovered by researcher Ulf Frisk in March. It was introduced in Windows 7 and Windows Server 2008 R2 during Microsoft's attempts to mitigate the well-publicized Meltdown bug

Essentially what happened is Microsoft made a mistake that suddenly gave user-level processes access to memory that was previously only accessible to the kernel. For more technical details you can read Frisk's Total Meltdown write-up, but as he puts it, once that read/write access is established it's "trivially easy to gain access to the complete physical memory."

That's bad. Incredibly bad. In fact, it's way worse than what Meltdown theoretically allowed for. You know, the problem Microsoft was originally trying to address. Why? Whereas Meltdown allowed unprivileged applications to gain read access to kernel memory, Total Meltdown allows any process to read and write any memory in the system (e.g. kernel and/or other applications). It essentially gives attackers complete access and control over a compromised system.

Oops.  

Once Total Meltdown came to light, other researchers didn't hesitate to point out the differences in the two flaws, specifically in regards to severity and practical risk of exploitation.   

As that last tweet by @VessOnSecurity points out, if there's any silver lining it's that Total Meltdown does not provide remote code execution. It comes into play during post-exploitation, so an attacker still has to gain initial compromise first. 

How to tell if you're vulnerable

As Frisk notes, only Windows 7 and Windows Server 2012 R2 64-bit systems are vulnerable to Total Meltdown. More specifically, only those types of systems that have received the following Windows updates released during January, February, and March:

  • January Monthly Rollup (KB4056894)
  • January Security-Only Update (KB4056897)
  • Hotfix for unbootable state for AMD devices introduced by January updates above (KB4073578)
  • Preview of February Monthly Rollup (KB4057400)
  • February Monthly Rollup (KB4074598)
  • February Security-Only Update (KB4074587)
  • Preview of March Monthly Rollup (KB4075211)
  • Hotfix for “smart card based operations fail with error with SCARD_E_NO_SERVICE issue” (KB4091290)
  • March Monthly Rollup (KB4088875)
  • March Security-Only Update (KB4088878)
  • Preview of April Monthly Rollup (KB4088881)

If a machine has received either of the following April updates, however, it is secure:

Here's a chart to make things even more clear (click to expand):

total-meltdown-vulnerability-chart

As noted in the chart, Microsoft did release an out-of-bounds emergency update designed to mitigate Total Meltdown (KB4100480), but after reports of numerous problems, it has been officially superseded by the two April updates. 

Total Meltdown exploit code available on Github — attacks in the wild to come 

Total Meltdown shifted from being a serious but theoretical risk to being a real and active threat with the release of a proof-of-concept exploit on Monday. Security researcher XPN posted the exploit code on GitHub and describes its creation in a blog post.  

In the video below, XPN demonstrates how the exploit successfully elevates privileges to SYSTEM:

 

Experts agree that with this code as a starting point, it's now only a matter of time before attackers begin creating their own variations and using them in the wild. 

How Barkly can help

This specific exploit utilizes token stealing, a popular tactic attackers use to gain privilege escalation. Barkly blocks token stealing, and is uniquely designed to prevent a wide variety of other illegitimate attempts to elevate privileges and bypass barriers between kernel and user space, as well.

Watch what happens when the exploit attempts to launch on a computer with Barkly installed: 

 


Barkly prevents this exploit from elevating privileges. 

Future Total Meltdown exploits may utilize different techniques, and ultimately, patching is the most effective longterm solution. But rather than racing to apply potentially buggy Windows patches (and there have been many this year) at all costs, Barkly customers can approach situations like this more carefully, taking the time to test and deploy updates in stages knowing they're protected from this exploit and entire categories of other exploit techniques like it. 

See what other threats Barkly can protect you from and find out how it can make managing endpoint security a whole lot easier. Learn more.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.