https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
A fundamental design flaw in Intel’s processor chips related to virtual memory system (Intel x86-64 hardware) allows normal user programs (even JavaScript in web browsers) to discern to some extent the layout or contents of protected kernel memory areas.
It is understood the bug is present in modern Intel processors produced in the past decade. It appears a microcode update can’t address it, so it has to be fixed in software at the OS level. This has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug, which is expected to cause 5 to 30 per cent slow down of your computer on next update!
Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday. Patches for the Linux kernel are available. Apple’s 64-bit macOS, will also need to be updated.
This is bad news for Intel. Last year they had AMT vulnerability remote exploit and now this new blow in Intel security. I don’t think that computer buyers like that their computers become slower!
Details of the vulnerability within Intel’s silicon are under wraps and are expected to be released later this month – so follow the comments for updates.
565 Comments
Tomi Engdahl says:
Spectre fixes slow down Linux a little
Greg Kroah-Hartman, one of the key administrators in the Linux kernel, reports that a single report compares Linux kernels 4.11 and latest version 4.15. Without KPI (Kernel Page Table Isolation) 4.15, it is about 7-9 percent faster than the 4.11 release in April.
This situation changes when KPTI correction is enabled on the kernel. After that, 4.15 is 1-2 percent slower than the 4.11 version. Kroah-Hartman considers this result to be quite good.
Source: http://etn.fi/index.php?option=com_content&view=article&id=7502&via=n&datum=2018-02-05_15:18:57&mottagare=31202
Tomi Engdahl says:
One backdoor vulnerability in CPUs is predictive execution, where some outcome is predicted and execution proceeds along the predicted path until the actual result is known.
“If everything is encrypted by the chip, even with predictive execution, the stored data is encrypted and more difficult to hack,” Hsu says.
Source: https://www.eetimes.com/document.asp?doc_id=1332931
Tomi Engdahl says:
Meltdown/Spectre Status for Red Hat and Oracle
http://www.linuxjournal.com/content/meltdownspectre-status-red-hat-and-oracle?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
The Red Hat family of operating systems addressed Meltdown and Spectre in its v3.10 kernel quickly, but relied too much upon Intel’s flawed microcode and was forced to revert from a complete solution. Oracle implemented alternate approaches more suited to its v4.1 UEK, but both kernels continue to lack full Spectre coverage while they wait for Intel. Conspicuously absent from either Linux branch is Google’s retpoline, which offers far greater and more efficient coverage for all CPUs. Auditing this status is a challenge. This article presents the latest tools for vulnerability assessments.
Red Hat was one of the first Linux distributions to publish guidance on Meltdown and Spectre. It established three files as “kernel tunables” in the /sys/kernel/debug/x86 directory to monitor and control these patches: pti_enabled for Meltdown, ibpb_enabled for Spectre v1 and ibrs_enabled for Spectre v2. Only the root user can access these files.
It is not generally understood that, although the BIOS is responsible for providing a base microcode image, the Linux kernel is able to update some CPUs at boot with a volatile, runtime upgrade for Intel microcode. The update must come from the CPU vendor, carrying its digital signature; it cannot be produced independently by the OS maintainers. This is accomplished on Intel CPUs with the help of the following RPM
Controlling the Performance Impact of Microcode and Security Patches for CVE-2017-5754 CVE-2017-5715 and CVE-2017-5753 using Red Hat Enterprise Linux Tunables
https://access.redhat.com/articles/3311301
Tomi Engdahl says:
Spectre & Meltdown Checker
https://github.com/speed47/spectre-meltdown-checker
A simple shell script to tell if your Linux installation is vulnerable against the 3 “speculative execution” CVEs that were made public early 2018.
Without options, it’ll inspect your currently running kernel. You can also specify a kernel image on the command line, if you’d like to inspect a kernel you’re not running.
The script will do its best to detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number.
Tomi Engdahl says:
Intel Releases New Spectre Patches for Skylake CPUs
http://www.securityweek.com/intel-releases-new-spectre-patches-skylake-cpus
Intel has started releasing new microcode updates that should address one of the Spectre vulnerabilities after the first round of patches caused significant problems for many users.
The company has so far released new firmware updates only for its Skylake processors, but expects updates to become available for other platforms as well in the coming days. Customers and partners have been provided beta updates to ensure that they can be extensively tested before being moved into production.
The chipmaker started releasing microcode patches for the Spectre and Meltdown vulnerabilities shortly after the attack methods were disclosed by researchers. However, the company was forced to suspend updates due to frequent reboots and other unpredictable system behavior. Microsoft and other vendors also disabled mitigations or stopped providing firmware updates due to Intel’s buggy patches.Intel provides new microcode updates for Skylake CPUs
Intel claims to have identified the root of an issue that caused systems to reboot more frequently after the patches were installed.
The company initially said only systems running Broadwell and Haswell CPUs experienced more frequent reboots, but similar behavior was later observed on Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms as well.
The problem appears to be related to the fix for CVE-2017-5715, one of the flaws that allows Spectre attacks, specifically Spectre Variant 2. Meltdown and Variant 1 of Spectre can be patched efficiently with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.
Tomi Engdahl says:
Both Intel and AMD announced recently that they are working on processors that will have built-in protections against exploits such as Spectre and Meltdown.
New AMD Processors to Include Protections for Spectre-like Exploits
http://www.securityweek.com/new-amd-processors-include-protections-spectre-exploits
AMD’s new Zen 2 and future processors will include protections against Spectre and other similar exploits
AMD CEO Lisa Su reiterated that the company’s CPUs are not vulnerable to Meltdown attacks and one variant of the Spectre attack is difficult to carry out against its products.
“For Spectre Variant 1, we continue actively working with our ecosystem partners on mitigations, including operating system patches that have begun to roll out. We continue to believe that Variant 2 of Spectre is difficult to exploit on AMD processors, however we are deploying CPU microcode patches – in combination with OS updates – to provide additional mitigation steps,” Su explained.
Intel Working on CPUs With Meltdown, Spectre Protections
http://www.securityweek.com/intel-working-cpus-meltdown-spectre-protections
Intel is working on CPUs that will include built-in protections against the notorious Meltdown and Spectre attacks,
Intel has released some microcode updates to address the vulnerabilities, but the patches have caused serious problems for many users, which has led to Intel and other vendors halting updates.
“Our near term focus is on delivering high quality mitigations to protect our customers’ infrastructure from these exploits. We’re working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year,” Krzanich said.
Several class action lawsuits have already been filed against Intel, accusing the company of violating state consumer laws by misleading customers about its product and breaching warranties.
Tomi Engdahl says:
An Update on Spectre and Meltdown
https://www.securerf.com/update-spectre-meltdown/?utm_campaign=Email%20Newsletter&utm_source=hs_email&utm_medium=email&utm_content=60630234&_hsenc=p2ANqtz-_ZoLw-dUmyTFSqwBw_7IfsbowW5acHhz5zbxqkfx3fO83GsP5vmTdxfwpkJLy32i_UBfj1_wIyly9lgXq7C0ZJj00SEbStgXfTILlyyyEnxtuTlgA&_hsmi=60630234
Be Careful
We have heard about tools available for download that purportedly detect whether your devices have been infected by Spectre and Meltdown. Be careful about what you install. It could be malware. We have also read about fake patches.
Looking Ahead
Some semiconductor industry leaders are predicting that we are likely to see similar threats in the future. Simon Seggars, CEO of ARM, said at CES: “The reality is there are probably other things out there like it that have been deemed safe for years.”
Tomi Engdahl says:
Windows Analytics Helps Assess Risk of Meltdown, Spectre Attacks
https://www.securityweek.com/windows-analytics-helps-assess-risk-meltdown-spectre-attacks
Microsoft is stepping up its efforts to help IT professionals better assess whether their Windows devices are protected against the industry-wide Meltdown and Spectre attack techniques.
Publicly detailed in the beginning of this year, the two attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data. Residing in the processors themselves, the bugs affect billions of devices.
Tech companies were informed on the bugs last year and worked hard on releasing both software and firmware mitigations, but some of the patches added instability and their delivery was stopped. Microsoft too decided to disable mitigations for one Spectre attack variation as systems became unstable.
After halting the initial patches several weeks ago, Intel recently rolled out new microcode updates to address one of the Spectre vulnerabilities in its Skylake processors. IBM, Oracle, and many other vendors rushed to push out patches for the bugs as well, and malware that abuses the vulnerabilities emerged as well.
Being hardware-based security vulnerabilities, Meltdown and Spectre represent a challenge for the entire industry, Microsoft says. Not only are updates required for both CPU microcode (firmware) and the operating system, but the anti-virus has to be compatible with the patches as well, at least on Windows.
To help IT professionals assess whether the Windows devices in their networks are protected against Spectre and Meltdown, Microsoft has added new capabilities to its free Windows Analytics service.
With the help of these new features, admins can access reports on the status of all Windows devices they manage, Terry Myerson, Executive Vice President, Windows and Devices Group, explains.
Tomi Engdahl says:
Intel Offers $250,000 for Side-Channel Exploits
https://www.securityweek.com/intel-offers-250000-side-channel-exploits
Intel Opens Bug Bounty Program to All Researchers, Offers up to $250,000 for Flaws Similar to Meltdown and Spectre
Intel on Wednesday announced major changes to its bug bounty program, including that it’s now open to all researchers, and significant rewards for exploits similar to Meltdown and Spectre.
Researchers who find critical hardware vulnerabilities that allow software-based side-channel attacks – just like Meltdown and Spectre – can earn up to $250,000. Flaws classified as high severity are worth up to $100,000, while medium- and low-risk issues are worth up to $20,000 and $5,000, respectively. The severity of a flaw is determined based on its CVSS base score, adjusted depending on the security objectives and threat model of the targeted product.
The part of Intel’s bug bounty program covering side-channel exploits will run until December 31, 2018.
https://hackerone.com/intel
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/7502-spectre-korjaus-hidastaa-linuxia-vain-vahan
Tomi Engdahl says:
Meltdown/Spectre Status for Red Hat and Oracle
http://www.linuxjournal.com/content/meltdownspectre-status-red-hat-and-oracle?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
Tomi Engdahl says:
Controlling the Performance Impact of Microcode and Security Patches for CVE-2017-5754 CVE-2017-5715 and CVE-2017-5753 using Red Hat Enterprise Linux Tunables
https://access.redhat.com/articles/3311301
Tomi Engdahl says:
Tom Warren / The Verge:
SEC filing: Intel facing 32 class action lawsuits over Meltdown and Spectre CPU flaws and three shareholder derivative actions over alleged insider trading
Intel facing 32 lawsuits over Meltdown and Spectre CPU security flaws
Shareholders also allege insider trading
https://www.theverge.com/2018/2/16/17020048/intel-spectre-meltdown-class-action-lawsuits
Intel has revealed today that the company is facing at least 32 lawsuits over the Meltdown and Spectre CPU flaws. “As of February 15, 2018, 30 customer class action lawsuits and two securities class action lawsuits have been filed,” says Intel in an SEC filing today. The customer class action lawsuits are “seeking monetary damages and equitable relief,” while the securities lawsuits “allege that Intel and certain officers violated securities laws by making statements about Intel’s products and internal controls that were revealed to be false or misleading by the disclosure of the security vulnerabilities.”
It’s no surprise to see Intel facing multiple lawsuits, and the company warns it could face many more in the future. The Meltdown and Spectre security flaws have helped reveal fundamental issues with processor designs over the past 20 years, and the software updates to protect PCs have had noticeable performance impacts. Intel’s response to the security flaws lacked transparency at first, and it was left largely to Microsoft to reveal the true extent of the performance issues.
Intel has struggled to patch its processors for the Spectre flaw, as its initial updates caused reboots on some machines. Microsoft was also forced to issue an emergency Windows update to disable Intel’s buggy Spectre fixes.
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/7604-intel-yrittaa-taas-korjata-mikrokoodiaan
Tomi Engdahl says:
Intel ships update for newest Spectre-affected chips
https://techcrunch.com/2018/02/21/intel-ships-update-for-newest-spectre-affected-chips/?utm_source=tcfbpage&sr_share=facebook
Intel has announced that the fix is out for its latest chips affected by Spectre, the memory-leakage flaw affecting practically all computing hardware. The patch is for the Skylake generation (late 2015) and newer, though most users will still have to wait for the code to be implemented by whoever manufactured their computer (specifically, their motherboard).
The various problems presented in January by security researchers have to be addressed by a mix of fixes at the application, OS, kernel and microarchitecture level. This patch is the latter, and it replaces an earlier one that was found to be unstable.
Tomi Engdahl says:
Stephen Nellis / Reuters:
Letters from Intel, Alphabet, and Apple to Congress say Intel didn’t disclose Spectre and Meltdown flaws to US cyber security officials before news leaked — (Reuters) – Intel Corp did not inform U.S. cyber security officials of the so-called Meltdown and Spectre chip security flaws until …
Intel did not tell U.S. cyber officials about chip flaws until made public
https://www.reuters.com/article/us-cyber-intel/intel-did-not-tell-u-s-cyber-officials-about-chip-flaws-until-made-public-idUSKCN1G62PS
Intel Corp did not inform U.S. cyber security officials of the so-called Meltdown and Spectre chip security flaws until they leaked to the public, six months after Alphabet Inc notified the chipmaker of the problems
Current and former U.S. government officials have raised concerns that the government was not informed of the flaws before they became public because the flaws potentially held national security implications.
Tomi Engdahl says:
Intel hit with 32 lawsuits over security flaws
February 16, 2018
https://www.reuters.com/article/us-cyber-intel-lawsuit/intel-hit-with-32-lawsuits-over-security-flaws-idUSKCN1G01KX
Intel Corp said on Friday shareholders and customers had filed 32 class action lawsuits against the company in connection with recently-disclosed security flaws in its microchips.
Most of the lawsuits – 30 – are customer class action cases that claim that users were harmed by Intel’s “actions and/or omissions” related to the flaws
Tomi Engdahl says:
Gartner Provides Seven Steps Security Leaders Can Take to Deal With Spectre and Meltdown
https://www.gartner.com/newsroom/id/3857763
“Spectre” and “Meltdown” are the code names given to different strains of a new class of attacks that target an underlying exploitable design implementation inside the majority of computer chips manufactured over the last 20 years.
Security researchers revealed three major variants of attacks in January 2018. The first two are referred to as Spectre, the third as Meltdown, and all three variants involve speculative execution of code to read what should have been protected memory and the use of subsequent side-channel-based attacks to infer the memory contents.
Gartner has identified seven steps security leaders can take to mitigate risk:
1. Modern operating systems (OSs) and hypervisors depend on structured, layered permission models to deliver security isolation and separation. Because this exploitable design implementation is in hardware — below the OS and the hypervisor — all software layers above are affected and vulnerable. However, memory can only be read, but not altered. Exploitation of the flaw requires untrusted code to be introduced and executed on the target system, which should be extremely difficult on a well-managed server or appliance such as a network or storage appliance.
2. Nearly every modern IT system will be affected to some extent. Not since Y2K has a vulnerability affected so many systems — desktops, mobile devices, servers, virtual machines, network and storage appliances, operation technology and the Internet of Things devices — required a deliberate, phased plan of action for remediation efforts. The starting point for security leaders must be an inventory of affected systems. In some cases, the risk-appropriate decision will be not to patch. However, in all cases, the roadmap for security leaders will be the inventory. For each system, a detailed database or spreadsheet is needed to track the device or workload, the version of its microprocessor, firmware version and OS.
3. The vulnerabilities are not directly remotely exploitable. A successful attack requires the attacker to execute code on the system. As such, application control and whitelisting on all systems greatly reduce the risk of unknown code execution. However, shared infrastructure as a service (IaaS) infrastructure is particularly vulnerable until the cloud providers update their underlying firmware and hypervisor layer (which the leading providers have done). Strong separation of duties (SOD) and privileged account management (PAM) reduce the risk of the introduction of untrusted code.
4. When devising a remediation strategy, Gartner recommends breaking the strategy into prioritized phases, because the risk, performance implications and potential hardware upgrades required will vary greatly among use cases. Start with systems that represent the most risk — desktops, virtual desktop infrastructure (VDI), smartphones and externally facing servers.
5. Information security leaders need to be prepared for scenarios in which the appropriate decision is not to patch. In some cases, this will be due to lack of patches on older systems. In other cases, the impact on performance is not offset by the reduction in risk, so patches will not be applied.
6. For systems that are not patched or only partially patched, multiple mitigating controls can reduce risk. The single most important issue to address is restricting the ability to place unknown or untrusted code onto the device. By reducing this, risks are significantly lowered, because attacks require local code execution.
7. Spectre and Meltdown represent an entirely new class of vulnerabilities, and this is just the beginning. The underlying exploitable implementation will remain for years to come.
Tomi Engdahl says:
Intel did not tell U.S. cyber officials about chip flaws until made public
https://www.reuters.com/article/us-cyber-intel/intel-did-not-tell-u-s-cyber-officials-about-chip-flaws-until-made-public-idUSKCN1G62PS
(Reuters) – Intel Corp did not inform U.S. cyber security officials of the so-called Meltdown and Spectre chip security flaws until they leaked to the public, six months after Alphabet Inc notified the chipmaker of the problem
Tomi Engdahl says:
Intel Releases Spectre Patches for Broadwell, Haswell CPUs
https://www.securityweek.com/intel-releases-spectre-patches-broadwell-haswell-cpus
Intel has released new firmware updates for its Broadwell and Haswell processors to address the Spectre vulnerability.
After the first round of Spectre patches released by the company caused more frequent reboots and other instability problems, Intel started working on new microcode updates.
The company first released new firmware updates for its Skylake processors, and last week it announced the availability of patches for several other CPUs, including Kaby Lake and Coffee Lake.
This week, the company updated the list of available firmware patches to state that the fixes for Haswell and Broadwell processors are also ready for use in production environments.
As of February 28, patches that can be deployed in production environments are available for the following products: Anniedale/Moorefield, Apollo Lake, Avoton/Rangeley, Broadwell (except Server EX), Broxton, Cherry View, Coffee Lake, Cougar Mountain, Denverton, Gemini Lake, Haswell (except Server EX), Kaby Lake, Knights Landing, Knights Mill, Skylake, SoFIA, Tangier, Valleyview/Bay Trail, and XGold.
Beta patches have been provided to OEMs for validation for Gladden, some Ivy Bridge, Sandy Bridge, and Skylake Xeon E3 processors. The microcode updates for Broadwell and Haswell Server EX processors, specifically the Xeon E7v4 and E7v3 product families, are also in beta phase.
Tomi Engdahl says:
Siemens Releases BIOS Updates to Patch Intel Chip Flaws
https://www.securityweek.com/siemens-releases-bios-updates-patch-intel-chip-flaws
Siemens has released BIOS updates for several of its industrial devices to patch vulnerabilities discovered recently in Intel chips, including Meltdown, Spectre and flaws affecting the company’s Management Engine technology.
Following the disclosure of the Meltdown and Spectre attack methods, industrial control systems (ICS) manufacturers immediately started analyzing the impact of the flaws on their products. Advisories have been published by companies such as Siemens, Rockwell Automation, Schneider Electric, ABB, and Pepperl+Fuchs.
Siemens has determined that the security holes expose many of its product lines to attacks, including RUGGEDCOM, SIMATIC, SIMOTION, SINEMA, and SINUMERIK.
Tomi Engdahl says:
News Releases
Microsemi Announces its Entire Product Portfolio is Unaffected by Spectre and Meltdown Vulnerabilities
https://investor.microsemi.com/2018-01-16-Microsemi-Announces-its-Entire-Product-Portfolio-is-Unaffected-by-Spectre-and-Meltdown-Vulnerabilities
ALISO VIEJO, Calif., Jan. 16, 2018 /PRNewswire/ — Microsemi Corporation (Nasdaq: MSCC), a leading provider of semiconductor solutions differentiated by power, security, reliability and performance, today announced its products, including its field programmable gate arrays (FPGAs), are not affected by the recently identified security flaws associated with the use of x86 and ARM® and a number of other processors. The announcement comes as security researchers recently revealed major computer chip vulnerabilities, called Spectre and Meltdown, in chips—affecting billions of devices globally.
“As a leader in security, we strive to ensure our products are immune to both existing and potential new threats or vulnerabilities,” said Jim Aralis, chief technology officer and vice president of advanced development at Microsemi. “As soon as news broke about Meltdown and Spectre, Microsemi immediately assessed its existing products with thorough analysis of the architecture and intellectual property (IP) blocks with its internal security experts. The assessment clearly concluded that none of the processor cores embedded with the associated use models in Microsemi products are impacted by these weaknesses.”
Not only are Microsemi’s FPGAs not affected by Spectre or Meltdown, the company’s devices also offer multiple security layers for maximum protection. In addition to its SmartFusion™ and SmartFusion2 FPGAs, and communications and storage products—which do not have either security flaw—the company’s soft RISC-V core and its RISC-V IP provider are also unaffected by the security issues. As a leader in hardware security, Microsemi is well-known for its cybersecurity and malware expertise, offering customers the highest levels of design and data security.
Tomi Engdahl says:
Spectre and Meltdown: What’s Left after Everyone Panicked for a Moment?
https://blog.paessler.com/spectre-and-meltdown-whats-left-after-everyone-panicked-for-a-moment?utm_source=facebook&utm_medium=cpc&utm_campaign=Burda-Blog-Global&utm_content=SpectreReview
Maybe it’s not as dangerous as everyone thinks. Or maybe it is? What we do know is that there are now almost 140 different malware samples trying to exploit the Meltdown and Spectre processor gaps. It’s hard to determine whether this has led to concrete attacks on users; however, it is highly probable that there haven’t been any such attacks. Also, we know the history of the whole mess, but what don’t we know? Everything else.
Almost 2 months after everyone with a keyboard and fingers told the internet about their fears of Spectre and Meltdown, the majority of hardware manufacturers and security researchers are still working on the issue. While manufacturers, including Intel, are busy developing and delivering patches, security researchers of all kinds are already writing malware exploits. The fact that not everything is running according to plan with these attempts also fits into the picture. Intel is currently being sued by more than 30 groups for the Meltdown and Spectre vulnerabilities but instead of resolving the security gaps and clarifying them, Intel created additional chaos at the end of January. Because updates on certain older computers led to crashes or unnecessary restarts, the chip giant now advises against installation. Meanwhile, other PC manufacturers had already processed Intel’s rework attempts to BIOS updates. And many of these vendors are now taking down the updates from their websites again.
More and More Malware, but Real Attacks Are Unknown
The nearly 140 different malware versions, which are supposed to attack the gaps, are based on the known proof-of-concept code and target Windows, macOS and Linux. They come from security researchers, so they were probably written for testing purposes, or they come from anti-virus vendors who, in turn, received them from their customers. The great number of samples is explained by the fact that the malware or exploit writers are already busy determining whether the gaps can somehow be exploited to steal data. Realistically, you can only expect an attack via a browser, at least for now. Users should therefore always keep their browser software up to date.
What Constitutes a Crime?
So I ask myself: what are we talking about here? A potential danger? Well… alright. An attack on end users and businesses? Not for the time being. Based on our current knowledge, there is no evidence of concrete attacks on users. The firewall manufacturer Fortinet, which has been alerting its users to the danger, apparently has no concrete evidence of attacks.
Intel is now expanding its Bug Bounty Program to detect and eliminate security vulnerabilities sooner. From now on, the so-called Side Channel Vulnerabilities will be announced until the end of the year with a reward of 250,000 US dollars
Tomi Engdahl says:
Meltdown/Spectre: The First Large-Scale Example of a ‘Genetic’ Threat
Sponsored by Dark Reading
https://registrations.darkreading.com/DR0302_Vulnerabilities?_mc=DRWP18_1_20180302cid=DRWP18_1_20180302&elq_mid=83546&elq_cid=14916437
While superficially just another large vulnerability, Meltdown and Spectre represent an entirely new class of threat that dramatically escalates the need for effective security programs and practices.
Tomi Engdahl says:
Windows Updates Deliver Intel’s Spectre Microcode Patches
https://www.securityweek.com/windows-updates-deliver-intels-spectre-microcode-patches
Microsoft announced on Thursday that Windows users will receive the microcode updates released by Intel to patch the notorious Spectre vulnerability.
Meltdown and Spectre attacks allow malicious applications to bypass memory isolation and access sensitive data. Meltdown attacks are possible due to a flaw tracked as CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre Variant 1 can be addressed with software updates, but Spectre Variant 2 requires microcode patches.
Microsoft has provided users the necessary software updates and it has now started delivering microcode patches as well.
After the first round of Spectre microcode patches from Intel caused more frequent reboots and other instability problems, the company started releasing new updates. The first patches were for Skylake, then for Kaby Lake and Coffee Lake, and this week for Haswell and Broadwell processors.
Intel has provided the microcode updates to device manufacturers, which are expected to make them available to customers once they have been tested.
Tomi Engdahl says:
Intel’s Spectre fix for Broadwell and Haswell chips has finally landed
Chips that sparked Intel’s recall of microcode for Spectre Variant 2 attack now have stable fixes.
http://www.zdnet.com/article/intels-spectre-fix-for-broadwell-and-haswell-chips-has-finally-landed/
Tomi Engdahl says:
Richard Chirgwin / The Register:
Researchers use speculative execution flaws to design an attack, called SgxPectre, that reads the contents of SGX secure enclaves on Intel CPUs — And no, you’re not supposed to be able to do that — Vid The Spectre design flaws in modern CPUs can be exploited to punch holes through …
Spectre haunts Intel’s SGX defense: CPU flaws can be exploited to snoop on enclaves
And no, you’re not supposed to be able to do that
http://www.theregister.co.uk/2018/03/01/us_researchers_apply_spectrestyle_tricks_to_break_intels_sgx/
The Spectre design flaws in modern CPUs can be exploited to punch holes through the walls of Intel’s SGX secure environments, researchers claim.
SGX – short for Software Guard eXtensions – is a mechanism that normal applications can use to ring-fence sections of memory that not even the operating system nor a hypervisor can access, let alone other programs.
The speculative execution flaws revealed in January, however, jeopardize SGX’s security boundaries, as demonstrated in the video
The researchers – professors Yinqian Zhang, Zhiqiang Lin, and Ten Lai, plus students Guoxing Chen, Sanchuan Chen, and Yuan Xiao – hail from Ohio State University in the USA. They’ve dubbed their enclave-sniffing technique SgxPectre, and noted on GitHub: “Similar to their non-SGX counterparts, SgxPectre attacks exploit the race condition between the injected, speculatively executed memory references and the latency of the branch resolution.”
Enclave code built using the Intel SGX SDK, Rust-SGX, Graphene-SGX, or similar runtime libraries, are vulnerable, we’re told.
There is a fix: Intel’s microcode update that introduced indirect branch restricted speculation (IBRS), which flushes the branch prediction history at the enclave boundary.
However, an evil sysadmin at, for example, a cloud provider could revert the patch, and “there is no means for the enclave code to reliably detect if IBRS is enabled.”
Intel says it will update its SGX SDK later this month to allow software attestation to detect the presence of Spectre mitigations. Enclave code will need to be rebuilt and redeployed using the updated development kit to be protected from malicious sysadmins.
https://github.com/osusecLab/SgxPectre
Tomi Engdahl says:
6 Lessons from the CPU Meltdown
https://www.eetimes.com/author.asp?section_id=36&doc_id=1333039
The chief technologist of a computer hardware and software company shares some basic principles for plugging the security gaps in the next Meltdown or Spectre.
1. Maintain extra CPU headroom: It’s important to have enough CPU resources in place to handle workloads in all failure scenarios. It is clear we also need to take into account software mitigations for this new class of hardware flaws–mitigations which also may significantly affect performance.
2. Be prepared to respond: One of the biggest frustrations over this incident was the apparent lack of processes in place to address flaws like Meltdown and Spectre.
3. Be flexible and adaptable: If you don’t have processes in place to address fixes quickly, at least have the flexibility to drop other things and shift gears quickly to get the job done. Adjust priorities as needed to establish the resources to test patched systems are running with a level of stability that meets your comfort level. Have a team ready to support customers who are pushing the performance envelope.
4. Internal and external communications are key: When the patch flaw was revealed, my company created internal communications with employees to help them understand the severity of the issue, how it impacted system vulnerability and what we were doing to address it. As a result, our teams were ready with answers when our customers called.
5. Automate testing and know the variables: Test automation speeds the process of applying microcode and OS patches as they come down from vendors.
6. It takes a trusted village: If our processor and software manufacturers can’t be open and honest, we’re all going to have to look after each other. Think open source communities. If someone spots something odd during a testing process, they can inform others rather than wait for an official statement or patch release from the manufacturer.
Tomi Engdahl says:
Alfred Ng / CNET:
Experts reveal 13 alleged flaws in AMD Ryzen and EPYC chips, just 24 hours after showing AMD, that allow malware to be installed on secure portions of the chips — Researchers say they’ve found 13 flaws in AMD’s Ryzen and EPYC chips, which could let attackers install malware on highly guarded parts of the processor.
AMD allegedly has its own Spectre-like security flaws
https://www.cnet.com/news/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own/
Researchers say they’ve found 13 flaws in AMD’s Ryzen and EPYC chips, which could let attackers install malware on highly guarded parts of the processor.
Tomi Engdahl says:
Intel Shares Details on New CPUs With Spectre, Meltdown Protections
https://www.securityweek.com/intel-shares-details-new-cpus-spectre-meltdown-protections
Intel announced on Thursday that patches designed to address the Spectre vulnerability are now available for all the affected CPUs released in the past five years, and shared more details on the future processors that will include protections against these types of attacks.
Intel CEO Brian Krzanich informed customers that the company has made available microcode updates for “100 percent” of the recent processors vulnerable to Meltdown and Spectre attacks.
The company first released new firmware updates for its Skylake processors, then for Kaby Lake and Coffee Lake, and later for Broadwell and Haswell CPUs. The fixes will be delivered by device manufacturers, but Microsoft has also started providing the microcode patches for Windows 10 devices with Skylake, Coffee Lake and Kaby Lake processors.
Tomi Engdahl says:
Steve Dent / Engadget:
Intel says upcoming 8th-gen Xeon and Core CPUs have been redesigned to provide hardware protection against Spectre variant 2 and Meltdown vulnerabilities — As promised, Intel has redesigned its upcoming 8th-gen Xeon and Core processors to further reduce the risks of attacks via the Spectre …
https://www.engadget.com/2018/03/15/intel-chip-redesign-spectre-meltdown-flaws/
Tomi Engdahl says:
Intel announces hardware fixes for Spectre and Meltdown on upcoming chips
https://techcrunch.com/2018/03/15/intel-announces-hardware-fixes-for-spectre-and-meltdown-on-upcoming-chips/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
When the Spectre and Meltdown bugs hit, it became clear that they wouldn’t be fixed with a few quick patches — the problem runs deeper than that. Fortunately, Intel has had plenty of time to work on it, and new chips coming out later this year will include improvements at the hardware/architecture level that protect against the flaws. Well, two out of three, anyway.
CEO Brian Krzanich announced the news in a company blog post.
“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,” Krzanich writes. Cascade Lake Xeon and 8th-gen Core processors should include these changes when they ship in the second half of 2018.
Lastly, even older hardware will be getting the microcode updates — back to the 1st-gen Core processors.
https://newsroom.intel.com/editorials/advancing-security-silicon-level/
Tomi Engdahl says:
Intel Shares Details on New CPUs With Spectre, Meltdown Protections
https://www.securityweek.com/intel-shares-details-new-cpus-spectre-meltdown-protections
Intel announced on Thursday that patches designed to address the Spectre vulnerability are now available for all the affected CPUs released in the past five years, and shared more details on the future processors that will include protections against these types of attacks.
Intel CEO Brian Krzanich informed customers that the company has made available microcode updates for “100 percent” of the recent processors vulnerable to Meltdown and Spectre attacks.
The company first released new firmware updates for its Skylake processors, then for Kaby Lake and Coffee Lake, and later for Broadwell and Haswell CPUs. The fixes will be delivered by device manufacturers, but Microsoft has also started providing the microcode patches for Windows 10 devices with Skylake, Coffee Lake and Kaby Lake processors.
In late January, Krzanich revealed that the company had started working on processors with built-in protections for attacks similar to Meltdown and Spectre. Additional details have now been provided and Intel even published a video that explains on a high level how these side-channel attacks work and how it plans on preventing them.
Meltdown attacks rely on a vulnerability identified as CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Variant 1 can be addressed with software patches, but Variant 2 also requires microcode updates.
Tomi Engdahl says:
diff -u: Intel Design Flaw Fallout
http://www.linuxjournal.com/content/diff-u-intel-design-flaw-fallout?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+linuxjournalcom+%28Linux+Journal+-+The+Original+Magazine+of+the+Linux+Community%29
For weeks, the world’s been talking about severe Intel design flaws affecting many CPUs and forcing operating systems to look for sometimes costly workarounds.
Linux patches for these issues are in a state of ongoing development. Security is always the first priority, at the expense of any other feature. Next would probably be the general speed of a running system for the average user. After that, the developers might begin piecing together any features that had been pulled as part of the initial security fix.
But while this effort goes on, the kernel developers seem fairly angry at Intel, especially when they feel that Intel is not doing enough to fix the problems in future processors.
In response to one set of patches, for example, Linus Torvalds burst out with, “All of this is pure garbage. Is Intel really planning on making this shit architectural? Has anybody talked to them and told them they are f*cking insane?” He went on, “the IBRS garbage implies that Intel is _not_ planning on doing the right thing for the indirect branch speculation. Honestly, that’s completely unacceptable.” And then he said:
The whole IBRS_ALL feature to me very clearly says “Intel is not serious about this, we’ll have an ugly hack that will be so expensive that we don’t want to enable it by default, because that would look bad in benchmarks”. So instead they try to push the garbage down to us. And they are doing it entirely wrong.
Tomi Engdahl says:
Meltdown, Spectre, and the Costs of Unchecked Innovation
https://www.wired.com/story/meltdown-spectre-costs-of-unchecked-innovation
Tomi Engdahl says:
More Chrome OS Devices Receive Meltdown, Spectre Patches
https://www.securityweek.com/more-chrome-os-devices-receive-meltdown-spectre-patches
The latest stable channel update for Google’s Chrome OS operating system includes mitigations for devices with Intel processors affected by the Spectre and Meltdown vulnerabilities.
Meltdown and Spectre attacks exploit design flaws in Intel, AMD, ARM and other processors. They allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data.
Meltdown attacks are possible due to CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). While Meltdown and Variant 1 can be addressed with software updates, Variant 2 also requires microcode updates from the manufacturers of the impacted processors. Software mitigations include kernel page-table isolation (KPTI/KAISER) and a technique developed by Google called Retpoline.
Tomi Engdahl says:
We need to go deeper: Meltdown and Spectre flaws will force security further down the stack
Turns out performance at all costs has been rather costly
https://www.theregister.co.uk/2018/03/26/attacks_go_down_the_stack/
Around 2003, a computer security portent that had been cheerlessly simmering away for years suddenly came to the boil.
This was an era stricken by malware attacks on a scale few had prepared for, running software beset with flaws some vendors seemed disinclined to acknowledge let alone fix.
Vulnerabilities, including high-severity ones, were nothing new, of course, but on the back of the internet megatrend they seemed to be getting more dangerous, causing global trouble in a matter of hours, infamously through fast-spreading worms such as that year’s Blaster and SQL Slammer.
Blaster was a particularly ironic example because the vulnerability it targeted – a buffer overrun in Windows DCOM RPC – had ostensibly been patched a month before the attack. But having a patch and applying it were not, it turned out, the same thing.
What was going on? On the face of it, it appeared that high-rated vulnerabilities – especially ones exploiting the innovation of zero-day flaws – were supercharging malware in ways that were going to require new thinking and far better processes.
Now Google’s vice president security and privacy engineering (CISO), Eschelbeck’s big idea was the Laws of Vulnerabilities (PDF), a way to understand how quickly Qualys’s enterprise customers were patching flaws.
What interested him was vulnerability “half-life”, or how long it took to reduce the occurrence of a flaw by 50 per cent, which in 2003 was an average of 30 days in a world where exploits could appear within days.
Perma-flaws
And yet despite this, vulnerabilities march on with a predictable logic. Having colonised OSes and web and PC applications, the vulnerability problem is now menacing firmware and side-channel microcode through the proof-of-concept (PoC) vulnerabilities such as Meltdown and Spectre.
Hotel insomnia
The good news, notes Carsten Eiram, chief research officer at vulnerability analysis firm Risk Based Security, is that none so far involves remote code execution, which gives defenders a chance of detecting and blocking them.
Even when fixes are not easy or even possible, mitigations are. It’s messy and slow but liveable providing the industry can quickly fashion a reliable mitigation channel.
“In general, these types of vulnerabilities are very rare compared to the total number of vulnerabilities reported each year,” Eiram says. “The bar is higher than many other types of vulnerabilities.”
“If a low-level remote code execution issue is discovered that for some reason cannot be properly mitigated or fixed without replacements, it would be a huge problem.”
What constrains mitigation is the number of moving parts. For Meltdown and Spectre, the hardware maker (Intel) had to push the mitigation to work with what the OS maker (Microsoft) deemed possible. The latter then had to tell antivirus vendors about this in case their products were making unsupported calls into memory that might interfere with OS Kernel Patch Protection (KPP), setting a registry key to indicate compatibility.
Tellingly, Microsoft ended up hosting Intel’s patches to speed distribution in case Intel’s own efforts fell short. Cooperation between industry tiers suddenly mattered.
“We’ve been trying to get as low level as possible. Security is leaving the operating system to go deeper down the stack… to sit between the CPU and the software,” according to Arsene.
His company last year announced Hypervisor Introspection (HVI), a data centre security technology developed in conjunction with Citrix that protects virtualized servers from the thorny problem of malware exploiting shared memory.
At the time it looked like an interesting sledgehammer for a peanut-sized problem, less so now that people have had time to speculate as to how Meltdown and Spectre-primed malware might escape hypervisors in ways that not long ago sounded hypothetical.
“While patching is good, that doesn’t address the core issue which is at some point you need to upgrade your hardware,” says Liviu. “If until now we thought of security as exploiting vulnerabilities in code, this goes to prove that this code can run much deeper than we thought.”
The Laws of Vulnerabilities: Six Axioms for Understanding Risk
https://www.qualys.com/docs/laws-of-vulnerabilities.pdf
Tomi Engdahl says:
Peter Bright / Ars Technica:
As expected, researchers find another side-channel processor attack that abuses branch prediction, called BranchScope, similar to Spectre variant 2
As predicted, more branch prediction processor attacks are discovered
New attack focuses on a different part of the branch prediction system.
https://arstechnica.com/gadgets/2018/03/its-not-just-spectre-researchers-reveal-more-branch-prediction-attacks/
Researchers from the College of William and Mary, Carnegie Mellon, the University of California Riverside, and Binghamton University have described a security attack that uses the speculative execution features of modern processors to leak sensitive information and undermine the security boundaries that operating systems and software erect to protect important data.
That probably sounds familiar.
The Spectre attacks, published earlier this year, take advantage of the speculative execution features of modern processors to leak sensitive information. The new attack, named BranchScope by the researchers, shares some similarity with variant 2 of the Spectre attack, as both BranchScope and Spectre 2 take advantage of the behavior of the processor’s branch predictor.
The Spectre attacks as a whole occur because the processor doesn’t quite put things back the way they should be. While the processor does revert to its speculative execution correctly—if it didn’t, programs would simply stop working correctly—it doesn’t quite do so perfectly.
BranchScope and Spectre 2 both take advantage of different parts of the branch predictor. Spectre 2 relied on a part called the Branch Target Buffer (BTB)
For Spectre 2, an attacker primes the BTB, carefully executing branch instructions so that the BTB has a predictable content with a target instruction that will, if speculatively executed, disturb the processor’s cache in a detectable way. The victim program then runs and makes a branch. The attacker then checks to see if the cache was disturbed; the measurement of that disturbance leaks information.
In the new attack, an attacker primes the PHT and running branch instructions so that the PHT will always assume a particular branch is taken or not taken. The victim code then runs and makes a branch, which is potentially disturbing the PHT. The attacker then runs more branch instructions of its own to detect that disturbance to the PHT; the attacker knows that some branches should be predicted in a particular direction and tests to see if the victim’s code has changed that prediction.
The researchers looked only at Intel processors, using the attacks to leak information protected using Intel’s SGX (Software Guard Extensions)
Spectre 2 has provoked both operating system and hardware changes, with more hardware fixes planned. The researchers suggest that a similar combination of solutions would be needed for BranchScope
Attacks like Spectre 2 and BranchScope are the result. It’s likely to be years before researchers have determined all the various ways in which the speculative execution hardware can be used to leak information this way, and it will be longer still before robust, universal defenses are available to stop the attacks.
BranchScope: A New Side-Channel Attack on Directional Branch Predictor
http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf
Tomi Engdahl says:
Intel CPUs Vulnerable to New ‘BranchScope’ Attack
https://www.securityweek.com/intel-cpus-vulnerable-new-branchscope-attack
Researchers have discovered a new side-channel attack method that can be launched against devices with Intel processors, and the patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.
The new attack, dubbed BranchScope, has been identified and demonstrated by a team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University.
Similar to Meltdown and Spectre, BranchScope can be exploited by an attacker to obtain potentially sensitive information they normally would not be able to access directly. The attacker needs to have access to the targeted system and they must be able to execute arbitrary code.
Researchers believe the requirements for such an attack are realistic, making it a serious threat to modern computers, “on par with other side-channel attacks.” The BranchScope attack has been demonstrated on devices with three types of Intel i5 and i7 CPUs based on Skylake, Haswell and Sandy Bridge microarchitectures.
Experts showed that the attack works even if the targeted application is running inside of an Intel SGX enclave. Intel SGX, or Software Guard Extensions, is a hardware-based isolated execution system designed to prevent code and data from getting leaked or modified.
Tomi Engdahl says:
Peter Bright / Ars Technica:
As expected, researchers find another side-channel processor attack that abuses branch prediction, called BranchScope, similar to Spectre variant 2
As predicted, more branch prediction processor attacks are discovered
New attack focuses on a different part of the branch prediction system.
https://arstechnica.com/gadgets/2018/03/its-not-just-spectre-researchers-reveal-more-branch-prediction-attacks/
Tomi Engdahl says:
Windows 7 Meltdown patch opens worse vulnerability: Install March updates now
http://www.zdnet.com/article/windows-7-meltdown-patch-opens-worse-vulnerability-install-march-updates-now/
Microsoft’s Meltdown fix opened a gaping hole in Windows 7 security, warns researcher.
Microsoft’s early patches for Intel’s Meltdown CPU vulnerability created an even bigger problem in Windows 7 that allowed any unprivileged application to read kernel memory.
Microsoft’s January and February patches stopped the Meltdown bug that exposed passwords in protected memory, but security researcher Ulf Frisk has discovered that the patches introduced a far worse kernel bug, which allows any process to read and write anywhere in kernel memory.
Frisk says the vulnerability affects Windows 7 x64 and Windows 2008R2 with the January or February patches.
According to Frisk, the two faulty patches wrongly set a bit in the virtual-to-physical-memory translator known as PLM4 to allow any user-mode application to access the kernel’s page tables.
Tomi Engdahl says:
Intel shrugs off ‘new’ side-channel attacks on branch prediction units and SGX
Been there, mitigated that, got the class actions, says Chipzilla
https://www.theregister.co.uk/2018/03/28/intel_shrugs_off_new_sidechannel_attacks_on_branch_prediction_units_and_sgx/
Intel’s shrugged off two new allegations of design flaws that enable side-channel attacks.
One of the new allegations was discussed at Black Hat Asia in Singapore last week, where University of Graz PhD Students Moritz Lipp and Michael Schwarz delivered a talk titled “When good turns to evil: using Intel SGX to stealthily steal Bitcoins.”
SGX is Intel’s way of creating secure enclaves that, as advertised, offer “protected areas of execution in memory” that “protect select code and data from disclosure or modification.” SGX enclaves are supposed to be inaccessible from the OS and even survive attacks that crack the BIOS or corrupt drivers.
Lipp and Schwarz noted that SGX enclaves have been used by developers of Bitcoin wallets because they sensibly appreciate being able to store them a secure location, given that to own a Bitcoin key is a short step away from owning Bitcoin too. But the pair delivered some bad news: an old-school “prime and probe” attack can be run against SGX enclaves.
Which sounds like a great way to get data out of an SGX enclave except for one small problem: SGX is immune to the timing software that lets you figure out when RAM was accessed.
Intel also hosed down a new paper (PDF) titled “BranchScope: A New Side-Channel Attack on Directional Branch Predictor” that describes “a new side-channel attack where the attacker infers the direction of an arbitrary conditional branch instruction in a victim program by manipulating the shared directional branch predictor.”
“We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper.”
Which offers some comfort to users, but shows Intel is also a long way from escaping the mess that Meltdown and Spectre created. SGX has long been known to have certain sensitivities.
https://software.intel.com/en-us/sgx
Tomi Engdahl says:
Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE
You’ll want to install the March update. Like right now – if you can avoid broken networking
https://www.theregister.co.uk/2018/03/28/microsoft_windows_meltdown_patch_security_flaw/
Tomi Engdahl says:
Intel CPUs Vulnerable to New ‘BranchScope’ Attack
https://www.securityweek.com/intel-cpus-vulnerable-new-branchscope-attack
Researchers have discovered a new side-channel attack method that can be launched against devices with Intel processors, and the patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.
The new attack, dubbed BranchScope, has been identified and demonstrated by a team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University.
Similar to Meltdown and Spectre, BranchScope can be exploited by an attacker to obtain potentially sensitive information they normally would not be able to access directly. The attacker needs to have access to the targeted system and they must be able to execute arbitrary code.
Tomi Engdahl says:
BranchScope is not the only CPU side-channel attack method uncovered following the disclosure of Meltdown and Spectre. One of them, dubbed SgxPectre, shows how Spectre can be leveraged to defeat SGX.
Researchers have also demonstrated new variants of the Meltdown and Spectre attacks, which they have named MeltdownPrime and SpectrePrime.
MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting
Invalidation-Based Coherence Protocols https://arxiv.org/pdf/1802.03802.pdf
SgxPectre Attacks: Leaking Enclave Secrets via Speculative Execution
https://arxiv.org/abs/1802.09085
Tomi Engdahl says:
Microsoft’s Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE
You’ll want to install the March update. Like right now – if you can avoid broken networking
https://www.theregister.co.uk/2018/03/28/microsoft_windows_meltdown_patch_security_flaw/
Microsoft’s January and February security fixes for Intel’s Meltdown processor vulnerability opened up an even worse security hole on Windows 7 PCs and Server 2008 R2 boxes.
This is according to researcher Ulf Frisk, who previously found glaring shortcomings in Apple’s FileVault disk encryption system.
We’re told Redmond’s early Meltdown fixes for 64-bit Windows 7 and Server 2008 R2 left a crucial kernel memory table readable and writable for normal user processes. This, in turn, means any malware on those vulnerable machines, or any logged-in user, can manipulate the operating system’s memory map, gain administrator-level privileges, and extract and modify any information in RAM.
Ouch!
Tomi Engdahl says:
Meltdown patches from Microsoft made Windows 7 and Windows Server 2008 less secure
https://betanews.com/2018/03/28/microsoft-meltdown-patch-problems/
If you’re running Windows 7 and you’ve not yet installed the March updates, now is very much the time to do so. It turns out that the Meltdown patches released in January and February actually opened up a security hole in both Windows 7 and Windows Server 2008 R2.
A Swedish security researcher found that the patches changed access permissions for kernel memory, making it possible for anyone to read from and write to user processes, gain admin rights and modify data in memory.
Total Meltdown?
http://blog.frizk.net/2018/03/total-meltdown.html?m=1
Did you think Meltdown was bad? Unprivileged applications being able to read kernel memory at speeds possibly as high as megabytes per second was not a good thing.
Meet the Windows 7 Meltdown patch from January. It stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well.
No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write!
How is this possible?
In short – the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself.
Windows have a special entry in this topmost PML4 page table that references itself, a self-referencing entry. In Windows 7 the PML4 self-referencing is fixed at the position 0x1ED, offset 0xF68 (it is randomized in Windows 10). This means that the PML4 will always be mapped at the address: 0xFFFFF6FB7DBED000 in virtual memory. This is normally a memory address only made available to the kernel (Supervisor). Since the permission bit was erroneously set to User this meant the PML4 was mapped into every process and made available to code executing in user-mode.
Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization. All one has to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory.
Can I try this out myself?
Yes absolutely. The technique has been added as a memory acquisition device to the PCILeech direct memory access attack toolkit. Just download PCILeech and execute it with device type: -device totalmeltdown on a vulnerable Windows 7 system.
Tomi Engdahl says:
Microsoft Fixes Windows Flaw Introduced by Meltdown Patches
https://www.securityweek.com/microsoft-fixes-windows-flaw-introduced-meltdown-patch
Microsoft has released out-of-band updates for Windows 7 and Windows Server 2008 R2 to address a serious privilege escalation vulnerability introduced earlier this year by the Meltdown mitigations.
Microsoft informed customers on Thursday that a new patch has been released for Windows 7 x64 Service Pack 1 and Windows Server 2008 R2 x64 Service Pack 1 to fully resolve the problem. “Customers who apply the updates, or have automatic updates enabled, are protected.” a Microsoft spokesperson said.
The vulnerability, tracked as CVE-2018-1038 and rated “important,” has been patched with the KB4100480 update. Users are advised to install the update as soon as possible, particularly since some Microsoft employees believe it will likely be exploited in the wild soon.
Tomi Engdahl says:
Intel admits a load of its CPUs have Spectre v2 flaw that can’t be fixed
And won’t fix Meltdown nor Spectre for 10 product families covering 230-plus CPUs
https://www.theregister.co.uk/2018/04/04/intel_says_some_cpus_with_spectre_v2_cant_be_fixed/
Intel has issued fresh “microcode revision guidance” that reveals it won’t address the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it’s too tricky to remove the Spectre v2 class of vulnerabilities.
The new guidance, issued April 2, adds a “stopped” status to Intel’s “production status” category in its array of available Meltdown and Spectre security updates. “Stopped” indicates there will be no microcode patch to kill off Meltdown and Spectre.
The guidance explains that a chipset earns “stopped” status because, “after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons.”
Those reasons are given as:
Micro-architectural characteristics that preclude a practical implementation of features mitigating [Spectre] Variant 2 (CVE-2017-5715)
Limited Commercially Available System Software support
Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
Thus, if a chip family falls under one of those categories – such as Intel can’t easily fix Spectre v2 in the design, or customers don’t think the hardware will be exploited – it gets a “stopped” sticker.
“Stopped” CPUs that won’t therefore get a fix are in the Bloomfield, Bloomfield Xeon, Clarksfield, Gulftown, Harpertown Xeon C0 and E0, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale, Wolfdale Xeon, Yorkfield, and Yorkfield Xeon families. The new list includes various Xeons, Core CPUs, Pentiums, Celerons, and Atoms – just about everything Intel makes.
Most the CPUs listed above are oldies that went on sale between 2007 and 2011, so it is likely few remain in normal use.
Tomi Engdahl says:
Intel Will Not Patch Spectre in Some CPUs
https://www.securityweek.com/intel-will-not-patch-spectre-some-cpus
Intel has informed customers that some of the processors affected by the Meltdown and Spectre vulnerabilities will not receive microcode updates due to issues related to implementation and other factors.
Two weeks after announcing that microcode updates have been made available for all recent processors vulnerable to speculative execution side-channel attacks, Intel updated its microcode revision guidance to say that some chips will not receive patches.
The list includes Core, Xeon, Celeron, Pentium, and Atom processors with Bloomfield (Xeon), Clarksfield, Gulftown, Harpertown Xeon, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale (Xeon) and Yorkfield (Xeon) microarchitectures. These products have been assigned a “stopped” status, which indicates they will not receive updates due to one or more reasons.
Intel says it has conducted a comprehensive investigation of the microarchitecture and microcode capabilities of these CPUs and determined that some of their characteristics prevent a practical implementation of mitigations for Spectre Variant 2 (CVE-2017-5715).
Other possible reasons for not releasing fixes include limited commercially available system software support and low risk of attacks.