Cybersecurity

A Look at Full Meltdown: A Vulnerability Created by Patching Spectre and Meltdown

Tom StewartJeff Bell
July 19, 2018
3 min read

The introduction of the Spectre and Meltdown vulnerabilities produced patches from big-name vendors such as Intel, AMD and Microsoft. These vulnerabilities allowed memory leakage due to the exploitation of the CPU’s speculative execution. A Swedish security researcher, Ulf Frisk, discovered that the January and February Microsoft Security patches mitigated Meltdown but produced a new threat: The newly coined “Total Meltdown” vulnerability allows nefarious actors to read at increased speeds of up to 1 gigabyte and to write to arbitrary memory.

This vulnerability allows any user to access parts of memory that were once restricted to those users or services running as ‘System’. This means that if someone with malicious intent gets access to your laptop, they will be able to dump your passwords, personal information, and any other type of data being held in memory in the once-restricted regions.

The flaw is found in the PML4 memory table, which is responsible for mapping virtual addresses of running processes to physical memory. The permission bit is set to User instead of Supervisor, revealing the page-table addresses for every process and providing code execution in User mode. In Windows 7 and Windows 2008, it appears that the PML4 has static addressing in an area of memory that used to be available only to the kernel. Since the Windows patches flipped the permission bit, this area of memory is available to users, and access to complete physical memory is possible.

Frisk has developed ‘PCILeech’, a tool used to read and write to memory that can be used on nonvirtual Windows and Linux systems. PCILeech contains the exploit used to conduct the PML4 page-table permission vulnerability that allows one to carry out ‘Total Meltdown’.

Protiviti has conducted testing using PCILeech to confirm the exploit of a native Windows Server 2008 R2 x64 machine with a total of 4GB of memory. The PML4 table memory location was found for reference:

The Total Meltdown exploit resulted in a full memory dump outputted to file:

Access to specific memory addresses is achievable:

As a result, if the vulnerability is not already patched throughout the environment, we encourage swift remediation by applying the KB4100480 Microsoft security update, which prevents this level of access.

More Information:

CVE-2018-1038

Affected Systems:

  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Affected Patches:

  • 2018-01 KB4056897 (Security-only update)
  • 2018-01 KB4056894 (Monthly Rollup)
  • 2018-01 KB4057400 (Preview of Monthly Rollup)
  • 2018-02 KB4074598 (Monthly Rollup)
  • 2018-02 KB4074587 (Security-only update)
  • 2018-02 KB4075211 (Preview of Monthly Rollup)
  • Unbootable state for AMD devices in Windows 7 SP1 and Windows Server 2008 R2 SP1

Patch Fix:

Want to learn more about Meltdown and Spectre? Check out this blog post and this one.

Tom Stewart

Senior Director
Security and Privacy

View all posts

Jeff Bell

Senior Consultant
Technology Consulting – Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
25 Jul

Protiviti’s @KonstantHacker chats with guest @RichardBlech of @XsocCorp about a high-performance symmetric encryption solution that will provide in-depth defense against the threat of fault-tolerant #QuantumComputing. Listen now: https://ow.ly/9oVU50SJklj #ProtivitiTech

Reply on Twitter 1816504643360358712 Retweet on Twitter 1816504643360358712 1 Like on Twitter 1816504643360358712 1 Twitter 1816504643360358712
protivititech Protiviti Technology @protivititech ·
25 Jul

Protiviti’s Joe Corrado will join a #Nintex panel for a July 30 webinar to discuss how document automation boosts #RevOps efficiency and sales. Register today to get access to expert tips and real-world success stories. https://ow.ly/LSsf50SJnaY #ProtivitiTech

Reply on Twitter 1816443898970898615 Retweet on Twitter 1816443898970898615 Like on Twitter 1816443898970898615 Twitter 1816443898970898615
protivititech Protiviti Technology @protivititech ·
24 Jul

The world was dealt a massive wakeup call after a #CrowdStrike software update caused global IT outages. In the aftermath, business leaders should take the opportunity to reboot tech resiliency. Learn more from the latest #VISIONbyProtiviti: In Focus: https://ow.ly/R2vU50SJrAT

Reply on Twitter 1816169832544432319 Retweet on Twitter 1816169832544432319 Like on Twitter 1816169832544432319 Twitter 1816169832544432319
protivititech Protiviti Technology @protivititech ·
24 Jul

#VISIONbyProtiviti: In Focus discusses a U.S. judge’s recent ruling that rejected #SEC oversight of #cybersecurity controls in the case against SolarWinds, the impact of the decision, and why it matters. https://ow.ly/Ph7j50SIbLH #ProtivitiTech

Reply on Twitter 1816111993767547294 Retweet on Twitter 1816111993767547294 Like on Twitter 1816111993767547294 Twitter 1816111993767547294
protivititech Protiviti Technology @protivititech ·
17 Jul

How can organizations tackle internal tech tickets when a team is remote? Protiviti’s Kim Bozzella recommends fully leveraging the features of their #IT service management software. Learn more: https://ow.ly/Yf3J50SEy7u #ProtivitiTech #Forbes

Reply on Twitter 1813635582964183412 Retweet on Twitter 1813635582964183412 Like on Twitter 1813635582964183412 Twitter 1813635582964183412
Load More