Cybersecurity

A Look at Full Meltdown: A Vulnerability Created by Patching Spectre and Meltdown

Tom StewartJeff Bell
July 19, 2018
3 min read

The introduction of the Spectre and Meltdown vulnerabilities produced patches from big-name vendors such as Intel, AMD and Microsoft. These vulnerabilities allowed memory leakage due to the exploitation of the CPU’s speculative execution. A Swedish security researcher, Ulf Frisk, discovered that the January and February Microsoft Security patches mitigated Meltdown but produced a new threat: The newly coined “Total Meltdown” vulnerability allows nefarious actors to read at increased speeds of up to 1 gigabyte and to write to arbitrary memory.

This vulnerability allows any user to access parts of memory that were once restricted to those users or services running as ‘System’. This means that if someone with malicious intent gets access to your laptop, they will be able to dump your passwords, personal information, and any other type of data being held in memory in the once-restricted regions.

The flaw is found in the PML4 memory table, which is responsible for mapping virtual addresses of running processes to physical memory. The permission bit is set to User instead of Supervisor, revealing the page-table addresses for every process and providing code execution in User mode. In Windows 7 and Windows 2008, it appears that the PML4 has static addressing in an area of memory that used to be available only to the kernel. Since the Windows patches flipped the permission bit, this area of memory is available to users, and access to complete physical memory is possible.

Frisk has developed ‘PCILeech’, a tool used to read and write to memory that can be used on nonvirtual Windows and Linux systems. PCILeech contains the exploit used to conduct the PML4 page-table permission vulnerability that allows one to carry out ‘Total Meltdown’.

Protiviti has conducted testing using PCILeech to confirm the exploit of a native Windows Server 2008 R2 x64 machine with a total of 4GB of memory. The PML4 table memory location was found for reference:

The Total Meltdown exploit resulted in a full memory dump outputted to file:

Access to specific memory addresses is achievable:

As a result, if the vulnerability is not already patched throughout the environment, we encourage swift remediation by applying the KB4100480 Microsoft security update, which prevents this level of access.

More Information:

CVE-2018-1038

Affected Systems:

  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Affected Patches:

  • 2018-01 KB4056897 (Security-only update)
  • 2018-01 KB4056894 (Monthly Rollup)
  • 2018-01 KB4057400 (Preview of Monthly Rollup)
  • 2018-02 KB4074598 (Monthly Rollup)
  • 2018-02 KB4074587 (Security-only update)
  • 2018-02 KB4075211 (Preview of Monthly Rollup)
  • Unbootable state for AMD devices in Windows 7 SP1 and Windows Server 2008 R2 SP1

Patch Fix:

Want to learn more about Meltdown and Spectre? Check out this blog post and this one.

Tom Stewart

Senior Director
Security and Privacy

View all posts

Jeff Bell

Senior Consultant
Technology Consulting – Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
24 Mar

Protiviti’s Sharon Stufflebeme and Ramesh Gupta share advice in @InformationWeek with organizations looking to update #LegacySystems and adopt the right amount of #EmergingTechnology to balance business needs. http://ow.ly/Jcpv50Nqlp0 #ProtivitiTech

Reply on Twitter 1639341610453565440 Retweet on Twitter 1639341610453565440 Like on Twitter 1639341610453565440 Twitter 1639341610453565440
protivititech Protiviti Technology @protivititech ·
24 Mar

We understand the challenges organizations face regarding #DataManagement and security. A structured data protection approach centered around people, processes and technology can help you tackle those challenges. Learn more: http://ow.ly/S93G50NqpNv #ProtivitiTech #Data

Reply on Twitter 1639250993409048576 Retweet on Twitter 1639250993409048576 Like on Twitter 1639250993409048576 Twitter 1639250993409048576
protivititech Protiviti Technology @protivititech ·
23 Mar

What is the #Metaverse? What does it mean for business? And how should companies prepare? @Protiviti’s Kim Bozzella tells @Forbes why now is the right time for businesses to leverage this immersive technology. http://ow.ly/ng6950NoAIS #ProtivitiTech

Reply on Twitter 1638888623071436804 Retweet on Twitter 1638888623071436804 Like on Twitter 1638888623071436804 Twitter 1638888623071436804
protivititech Protiviti Technology @protivititech ·
23 Mar

Is your organization post-quantum ready? Join Host @KonstantHacker for a chat with Skip Norton of @QuintessenceLab about real products available today that will be ready for post-quantum #encryption by 2024. http://ow.ly/GUvS50NpzX9 #QuantumComputing #ProtivitiTech

Reply on Twitter 1638888521820942338 Retweet on Twitter 1638888521820942338 1 Like on Twitter 1638888521820942338 1 Twitter 1638888521820942338
protivititech Protiviti Technology @protivititech ·
22 Mar

Maximize the value of your organization's #Data by building a modern enterprise #DataArchitecture. Find out how to get started with Protiviti's latest whitepaper: http://ow.ly/aQsZ50NpyBN #ProtivitiTech

Reply on Twitter 1638639692592877568 Retweet on Twitter 1638639692592877568 Like on Twitter 1638639692592877568 Twitter 1638639692592877568
Load More