‘Kernel memory leaking’ Intel processor design flaw

https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/

A fundamental design flaw in Intel’s processor chips related to virtual memory system (Intel x86-64 hardware) allows normal user programs (even JavaScript in web browsers) to discern to some extent the layout or contents of protected kernel memory areas.

It is understood the bug is present in modern Intel processors produced in the past decade. It appears a microcode update can’t address it, so it has to be fixed in software at the OS level. This has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug, which is expected to cause 5 to 30 per cent slow down of your computer on next update!

Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday. Patches for the Linux kernel are available. Apple’s 64-bit macOS, will also need to be updated.

This is bad news for Intel. Last year they had AMT vulnerability remote exploit and now this new blow in Intel security. I don’t think that computer buyers like that their computers become slower! 

Details of the vulnerability within Intel’s silicon are under wraps and are expected to be released later this month – so follow the comments for updates.

510 Comments

  1. Tomi Engdahl says:

    Zombieload v2 is the codename of a vulnerability that allows malware or a malicious threat actor to extract information processed inside a CPU, information to which they normally shouldn’t be able to access due to the security walls present inside modern-day CPUs

    Windows & Linux get options to disable Intel TSX to prevent Zombieload v2 attacks
    https://www.zdnet.com/article/windows-linux-get-options-to-disable-intel-tsx-to-prevent-zombieload-v2-attacks/

    Disclosure of new Zombieload v2 vulnerability prompts OS makers to react with ways to disable Intel’s TSX technology.

    Both Microsoft and the Linux kernel teams have added ways to disable support for Intel Transactional Synchronization Extensions (TSX).

    TSX is the Intel technology that opens the company’s CPUs to attacks via the Zombieload v2 vulnerability.

    https://www.zdnet.com/article/intels-cascade-lake-cpus-impacted-by-new-zombieload-v2-attack/

    Reply
  2. Tomi Engdahl says:

    Intel Patches Plundervolt, High Severity Issues in Platform Update
    https://www.bleepingcomputer.com/news/security/intel-patches-plundervolt-high-severity-issues-in-

    platform-update/
    Intel addressed 14 security vulnerabilities during the December 2019
    Patch Tuesday, with seven of them being high and medium severity
    security flaws impacting multiple platforms including Windows and
    Linux. The security issues patched today were detailed in the 9
    security advisories published by Intel on its Product Security Center,
    with the company having delivered them to customers through the Intel
    Platform Update (IPU) process. The vulnerabilities disclosed today
    could allow authenticated or privileged users to potentially enable
    information disclosure, trigger denial of service states, escalate
    privileges, or execute malicious code at an elevated level of
    privilege via local access. Each advisory comes with a detailed list
    of all affected products as well as recommendations for vulnerable
    products, and also include contact details for users and researchers
    who would want to report other vulnerabilities found in Intel branded
    tech or products.
    Hackers Can Mess With Voltages to Steal Intel Chips’ Secrets
    https://www.wired.com/story/plundervolt-intel-chips-sgx-hack/
    A new attack called Plundervolt gives attackers access to the
    sensitive data stored in a processor’s secure enclave. When thieves
    want to steal treasures surrounded by sensors and alarms, they
    sometimes resort to cutting the power, disrupting the flow of
    electricity to those expensive security systems. It turns out that
    hackers can pull off a similar trick: breaking the security mechanisms
    of Intel chips by messing with their power supply, and exposing their
    most sensitive secrets.
    But by momentarily undervolting a
    processor by 25 or 30 percent, and precisely timing that voltage
    change, an attacker can cause the chip to make errors in the midst of
    computations that use secret data. And those errors can reveal
    information as sensitive as a cryptographic key or biometric data
    stored in the SGX enclave. “Writing to memory takes power, ” says
    Flavio Garcia, a computer scientist at the University of Birmingham
    who, along with his colleagues, will present the Plundervolt research
    at IEEE Security and Privacy next year. “So for an instant, you reduce
    the CPU voltage to induce a computation fault.”. Read also:
    https://www.theregister.co.uk/2019/12/10/intel_sgx_youve_been_plunderstruck/

    Reply
  3. Tomi Engdahl says:

    Intel Is Patching Its ‘Zombieload’ CPU Security Flaw For the Third Time
    https://it.slashdot.org/story/20/01/27/2126231/intel-is-patching-its-zombieload-cpu-security-flaw-for-

    the-third-time?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+

    %28%28Title%29Slashdot+%28rdf%29%29
    For the third time in less than a year, Intel has disclosed a new set of vulnerabilities related to the

    speculative functionality of its processors. On Monday, the company said it will issue a software update

    “in the coming weeks” that will fix two more microarchitectural data sampling (MDS) or Zombieload flaws.

    This latest update comes after the company released two separate patches in May and November of last year.
    IPAS: INTEL-SA-00329
    https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/#gs.upo7m1
    Intel is patching its Zombieload CPU security flaw for the third time
    Security researchers say the company needs to change its approach.
    https://www.engadget.com/2020/01/27/intel-third-mds-patch/
    For the third time in less than a year, Intel has disclosed a new set of vulnerabilities related to the

    speculative functionality of its processors. On Monday, the company said it will issue a software update

    “in the coming weeks” that will fix two more microarchitectural data sampling (MDS) or Zombieload flaws.

    This latest update comes after the company released two separate patches in May and November of last year.

    Reply
  4. Tomi Engdahl says:

    CacheOut
    Leaking Data on Intel CPUs via Cache Evictions
    https://cacheoutattack.com/
    Leaking Data on Intel CPU’s via Cache Evictions
    CacheOut, a new speculative execution attack that is capable of leaking data from Intel CPUs across many security boundaries. Despite Intel’s attempts to address previous generations of speculative execution attacks, CPUs are still vulnerable, allowing attackers to exploit these vulnerabilities to leak sensitive data.
    Moreover, unlike previous MDS issues, an attacker can exploit the CPU’s caching mechanisms to select what data to leak, as opposed to waiting for the data to be available. CacheOut can violate nearly every hardware-based security domain, leaking data from the OS kernel, co-resident virtual machines, and even SGX enclaves.
    Intel acknowledgedthe issue and has assignedCVE-2020-0549, referring to theissue as L1 Data Eviction Sampling (L1DES) with a CVSSscore of 6.5 (medium).

    Reply
  5. Tomi Engdahl says:

    More dangerous vulnerabilities in Intel CPUs
    https://www.pandasecurity.com/mediacenter/news/more-dangerous-vulnerabilities-intel-cpus/
    Intel has released information about two potentially dangerous flaws
    in the processor architecture of its CPUs. The chip manufacturer had
    already provided security updates for similar gaps in May and November
    2019. Although the new vulnerabilities seem to be less critical than
    the previous ones, side-channel attacks are still possible.
    https://www.pandasecurity.com/mediacenter/news/more-dangerous-vulnerabilities-intel-cpus/
    The chip manufacturer had already provided security updates for similar gaps in May and November 2019.
    The current vulnerability allows the exploit to selectively choose which data it wants to access. The

    attack—referred to by Intel as L1D Eviction Sampling (L1DES)—causes an exception: data loaded during a

    running process of a speculative execution is discarded due to a triggered error. The attackers have now

    modified their approach and can load the data to be read out into unused filling buffers.
    Until now, reducing the vulnerability has been associated with a severe performance degradation because,

    according to VUSec (Systems and Network Security Group at the Vrije University of Amsterdam), the

    processor’s L1D cache has to be completely emptied again at each context switch. This is mainly relevant

    for cloud operators, because attackers can read data beyond a virtual machine. With the help of the new

    microcode update, the flaws in the architecture can be corrected in the coming weeks.
    Affected CPUs
    it is mainly CPUs manufactured after 2015 that are affected: the weakness has existed in Intel processors

    since the Skylake generation (Core i-6000), as well as in the current desktop generation Coffee Lake

    Refresh (Core i-9000) and all Xeon SP CPUs (Skylake SP, Cascade Lake SP). Only Ice Lake is not affected.
    Sources: https://www.heise.de/security/meldung/Sicherheitsluecken-in-Intel-CPUs-Modifizierte-Angriffe-erfordern-BIOS-Updates-4647081.html

    Reply
  6. Tomi Engdahl says:

    Color me surprised. Intel CPUs and chipsets have a concerning flaw that’s unfixable. Intel x86 Root of Trust: loss of trust https://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html FYI, this is a new bug apart from existing CPU bugs.

    Reply
  7. Tomi Engdahl says:

    Intel CPUs vulnerable to new LVI attacks
    https://www.zdnet.com/article/intel-cpus-vulnerable-to-new-lvi-attacks/
    Researchers say Intel processors will need another round of silicon
    chip re-designs to protect against new attack.
    Named Load Value Injection, or LVI for short, this is a new class of theoretical attacks against Intel

    CPUs.
    While the attack has been deemed only a theoretical threat, Intel has released firmware patches to

    mitigate attacks against current CPUs, and fixes will be deployed at the hardware (silicon design) level

    in future generations.
    Besides Meltdown and Spectre, other transient attacks were eventually discovered during the past two

    years, including the likes of Foreshadow, Zombieload, RIDL, Fallout, and LazyFP.
    LVI’s position in all these attacks is, technically, of a reverse-Meltdown. While the original Meltdown

    bug allowed attackers to read an app’s data from inside a CPU’s memory while in a transient state, LVI

    allows the attacker to inject code inside the CPU and have it executed as a transient “temporary”

    operation, giving attackers more control over what happens.
    Meltdown also needs a hardware fix
    But the biggest finding related to this research paper is about how the Meltdown & LVI will need to be addressed.
    When Meltdown was fist disclosed in January 2018, Intel said that a firmware patch was all that was needed, while a change of the CPU’s silicon design was only needed for the class of Spectre attacks.
    Now, researchers say this is not true anymore. Both the academic research team and the Bitdefender team say that the class of Meltdown and LVI attacks also now needs a hardware fix.
    LVI bypasses some Meltdown fixes
    “We exploit the same hardware operations as Meltdown,” Daniel Gruss, an assistant professor at the Graz University of Technology, and a member of the academic research team told ZDNet.
    “Therefore, if Meltdown works, LVI works as well.”

    Reply
  8. Tomi Engdahl says:

    Intel SGX is vulnerable to an unfixable flaw that can steal crypto keys and more | Ars Technica
    https://arstechnica.com/information-technology/2020/03/hackers-can-steal-secret-data-stored-in-intels-sgx-secure-enclave/

    For the past 26 months, Intel and other CPU makers have been assailed by Spectre, Meltdown, and a steady flow of follow-on vulnerabilities that make it possible for attackers to pluck passwords, encryption keys, and other sensitive data out of computer memory. On Tuesday, researchers disclosed a new flaw that steals information from Intel’s SGX, short for Software Guard eXtensions, which acts as a digital vault for securing users’ most sensitive secrets.

    On the surface, Load Value Injection, as researchers have named their proof-of-concept attacks, works in ways similar to the previous vulnerabilities and accomplishes the same thing. All of these so-called
    transient-execution flaws stem from speculative execution, an optimization in which CPUs attempt to guess future instructions before they’re called. Meltdown and Spectre were the first transient execution

    exploits to become public. Attacks named ZombieLoad, RIDL, Fallout, and Foreshadow soon followed.
    Foreshadow also worked against Intel’s SGX.

    Reply
  9. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    New Intel chip flaws disclosed: one can leak secure enclave data and the second allows cross core info

    leakage; both have patches that partially fix the issues
    Plundering of crypto keys from ultrasecure SGX sends Intel scrambling again
    Intel’s speculative execution flaws go deeper and are harder to fix than we thought.
    https://arstechnica.com/information-technology/2020/06/new-exploits-plunder-crypto-keys-and-more-from-

    intels-ultrasecure-sgx/

    For the past two years, modern CPUs—particularly those made by Intel—have been under siege by an unending series of attacks that make it possible for highly skilled attackers to pluck passwords, encryption keys, and other secrets out of silicon-resident memory. On Tuesday, two separate academic teams disclosed two new and distinctive exploits that pierce Intel’s Software Guard eXtension, by far the most sensitive region of the company’s processors.

    Reply
  10. Tomi Engdahl says:

    Intel CPUs Vulnerable to New ‘SGAxe’ and ‘CrossTalk’ Side-Channel
    Attacks
    https://thehackernews.com/2020/06/intel-sgaxe-crosstalk-attacks.html
    Cybersecurity researchers have discovered two distinct attacks that
    could be exploited against modern Intel processors to leak sensitive
    information from the CPU’s trusted execution environments (TEE)..
    Called SGAxe, the first of the flaws is an evolution of the previously
    uncovered CacheOut attack (CVE-2020-0549) earlier this year that
    allows an attacker to retrieve the contents from the CPU’s L1 Cache..
    see also https://cacheoutattack.com/

    Reply
  11. Tomi Engdahl says:

    Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks
    https://thehackernews.com/2020/08/foreshadow-processor-vulnerability.html
    The new research explains microarchitectural attacks were actually
    caused by speculative dereferencing of user-space registers in the
    kernel, which not just impacts the most recent Intel CPUs with the
    latest hardware mitigations, but also several modern processors from
    ARM, IBM, and AMD previously believed to be unaffected.

    Reply
  12. Tomi Engdahl says:

    BLINDSIDE – A Speculative Execution Attack
    https://www.vusec.net/projects/blindside/
    BlindSide allows attackers to hack blind in the Spectre era. That is,
    given a simple buffer overflow in the kernel and no additional info
    leak vulnerability, BlindSide can mount BROP-style attacks in the
    speculative execution domain to repeatedly probe and derandomize the
    kernel address space, craft arbitrary memory read gadgets, and enable
    reliable exploitation.. POC video
    https://www.youtube.com/watch?v=m-FUIZiRN5o. whitepaper
    https://download.vusec.net/papers/blindside_ccs20.pdf

    Reply
  13. Tomi Engdahl says:

    New BlindSide attack uses speculative execution to bypass ASLR
    https://www.zdnet.com/article/new-blindside-attack-uses-speculative-execution-to-bypass-aslr/
    New BlindSide technique abuses the CPU’s internal performance-boosting
    feature to bypass OS security protection.

    Reply
  14. Tomi Engdahl says:

    Complexity has broken computer security, says academic who helped spot Meltdown and Spectre flaws
    Graz University of Tech’s Daniel Gruss thinks natural sciences can save us
    https://www.theregister.com/2020/10/02/daniel_gruss_complexity_broke_security/

    Complexity has broken cybersecurity, but a reappraisal of computer science can keep us safe.

    So says Daniel Gruss, assistant professor in the Secure Systems group at Austria’s Graz University of Technology. Gruss and his colleagues discovered some of the biggest recent security snafus, including the Meltdown and Spectre microprocessor design flaws, a working Rowhammer exploit, attacks on Intel SGX including Plundervolt, and many more besides.

    Reply
  15. Tomi Engdahl says:

    In a first, researchers extract secret key used to encrypt Intel CPU code
    Hackers can now reverse engineer updates or write their own custom firmware.
    https://arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/

    Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they’re secured.

    The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of bugs. Having a decrypted copy of an update may allow hackers to reverse engineer it and learn precisely how to exploit the hole it’s patching. The key may also allow parties other than Intel—say a malicious hacker or a hobbyist—to update chips with their own microcode, although that customized version wouldn’t survive a reboot.

    “At the moment, it is quite difficult to assess the security impact,” independent researcher Maxim Goryachy said in a direct message. “But in any case, this is the first time in the history of Intel processors when you can execute your microcode inside and analyze the updates.”

    Reply
  16. Tomi Engdahl says:

    Hackers Can Now Reverse Engineer Intel Updates Or Write Their Own Custom Firmware
    https://developers.slashdot.org/story/20/10/28/217212/hackers-can-now-reverse-engineer-intel-updates-or-write-their-own-custom-firmware?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    In a statement, Intel officials wrote: “The issue described does not represent security exposure to customers, and we do not rely on obfuscation of information behind red unlock as a security measure. In addition to the INTEL-SA-00086 mitigation, OEMs following Intel’s manufacturing guidance have mitigated the OEM specific unlock capabilities required for this research. The private key used to authenticate microcode does not reside in the silicon, and an attacker cannot load an unauthenticated patch on a remote system.”

    Intel® Management Engine Critical Firmware Update (Intel-SA-00086)
    https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

    Reply
  17. Tomi Engdahl says:

    Intel may have just shed its most intimate CPU secrets
    By Anthony Spadafora
    First Published 1 day ago
    https://www.techradar.com/news/intel-may-have-just-shed-its-most-intimate-cpu-secrets

    Researchers have extracted the RC4 key used by Intel to encrypt CPU code

    Reply
  18. Tomi Engdahl says:

    #TBT: These two classes of hacks uncovered a way for information to leak out through the difference between what software is supposed to do and how it actually does those things. There’s every reason to believe that more ways will be uncovered.

    How the Spectre and Meltdown Hacks Really Worked
    https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked

    These types of attacks, called Meltdown and Spectre, were no ordinary bugs. At the time it was discovered, Meltdown could hack all Intel x86 microprocessors and IBM Power processors, as well as some ARM-based processors. Spectre and its many variations added Advanced Micro Devices (AMD) processors to that list. In other words, nearly the whole world of computing was vulnerable.

    And because speculative execution is largely baked into processor hardware, fixing these vulnerabilities has been no easy job. Doing so without causing computing speeds to grind into low gear has made it even harder.

    Reply
  19. Tomi Engdahl says:

    This 22-Year-Old Discovered How To Hack Billions Of Devices Globally Using One Of The Worst Chip Flaws In History
    https://www.iflscience.com/technology/this-22yearold-discovered-how-to-hack-billions-of-devices-globally/

    Reply
  20. Tomi Engdahl says:

    This should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.

    Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
    https://www.extremetech.com/computing/317512-microsoft-pluton-chip-will-bring-xbox-like-security-to-windows-pcs?utm_campaign=trueAnthem%3A+Manual&utm_medium=trueAnthem&utm_source=facebook

    Microsoft hopes to improve PC platform security, and it’s turning to CPU manufacturers to help it do that. The Windows maker has a new security chip design called Microsoft Pluton, and it’s probably coming to your next PC whether you want it or not. Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.

    Microsoft says it started working on Pluton to address the troubling trend of CPU-based attacks like Spectre and Meltdown. Currently, many Windows PCs have a Trusted Platform Module (TPM), which is a separate chip someplace on the motherboard that the CPU uses to secure hardware and cryptographic keys. However, you can purchase expensive circumvention kits that physically tap the signal between the CPU and TPM to extract privileged data. Hypothetically, Pluton should block such attack vectors because it’s part of the CPU.

    Devices running on CPUs with the Pluton module should be much harder to hack in the same way the Xbox One was harder to hack than previous versions of the console. That’s actually where Microsoft took its inspiration. The Xbox has an integrated security module that makes it harder to play pirated games. There are plenty of arguments against that sort of heavy-handed DRM, but Microsoft’s engineers learned a great deal about security strategies from the Xbox. Bringing that know-how to the PC could solve a lot of problems… and maybe introduce a few new ones.

    Not everyone is over the moon about Pluton, which uses the same API as the standard TPM. It would be possible to use Pluton to run a digital rights management (DRM) scheme that is much harder to crack. Microsoft says that’s not its goal, but there’s nothing stopping someone from doing that. The integration of Pluton with CPU hardware also gives Microsoft some level of access to your hardware, even if you don’t use Windows. Microsoft already uses Pluton in its Linux-based Azure Sphere devices

    Reply
  21. Tomi Engdahl says:

    Spectre exploits in the “wild”
    https://dustri.org/b/spectre-exploits-in-the-wild.html
    Someone was silly enough to upload a working spectre (CVE-2017-5753)
    exploit for Linux (there is also a Windows one with symbols that I
    didn’t look at.) on VirusTotal last month, so here is my quick Sunday
    afternoon lazy analysis.. In my lab, on a vulnerable Fedora, the
    exploit is successfully dumping /etc/shadow in a couple of minutes.
    Interestingly, there are checks to detect SMAP and abort if it’s
    present. I didn’t manage to understand why the exploit was failing in
    its presence.. Also
    https://therecord.media/first-fully-weaponized-spectre-exploit-discovered-online/
    “But while Voisin did not want to name the exploit author, several
    people were not as shy. Security experts on both Twitter and news
    aggregation service HackerNews were quick to spot that the new Spectre
    exploit might be a module for CANVAS, a penetration testing tool
    developed by Immunity Inc.

    Reply
  22. Tomi Engdahl says:

    A French security researcher has discovered what appears to be a first fully weaponized exploit for the Spectre bug — a Linux binary that dumps the contents of /etc/shadow

    FEATURED
    TECHNOLOGY
    First Fully Weaponized Spectre Exploit Discovered Online
    https://therecord.media/first-fully-weaponized-spectre-exploit-discovered-online/

    A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain.

    The exploit was discovered by French security researcher Julien Voisin. It targets Spectre, a major vulnerability that was disclosed in January 2018.

    Reply
  23. Tomi Engdahl says:

    https://thehackernews.com/2021/03/malware-can-exploit-new-flaw-in-intel.html
    Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel
    Attacks. A new research has yielded yet another means to pilfer
    sensitive data by exploiting what’s the first “on-chip, cross-core”
    side-channel in Intel Coffee Lake and Skylake processors. Published by
    a group of academics from the University of Illinois at
    Urbana-Champaign, the findings are expected to be presented at the
    USENIX Security Symposium coming this August.

    Reply
  24. Tomi Engdahl says:

    New Side-Channel Attack Targets Intel CPU Ring Interconnect
    https://www.securityweek.com/new-side-channel-attack-targets-intel-cpu-ring-interconnect

    A team of researchers from the University of Illinois at Urbana-Champaign has published a paper detailing a new side-channel attack method that can be launched against devices with Intel CPUs.

    Following the disclosure of the Meltdown and Spectre vulnerabilities back in January 2018, researchers have increasingly focused on finding CPU side-channel attack methods — and in many cases they have been successful.

    The latest attack method can allow an attacker who has access to the targeted device to obtain potentially sensitive information. The attack, described by the researchers as “the first on-chip, cross-core side-channel attack,” is related to the ring interconnect, or ring bus, the component that enables communication between the various CPU units (e.g. cores, last level cache, system agent and GPU) on many Intel processors.

    Reply
  25. Tomi Engdahl says:

    https://www.facebook.com/groups/majordomo/?ref=share

    I’m really glad I’m no longer in web work.

    “Post-Spectre, we need to adopt some new strategies for safe and secure web development. This document outlines a threat model we can share, and a set of mitigation recommendations.

    TL;DR: Your data must not unexpectedly enter an attacker’s process”

    Post-Spectre Web Development
    Editor’s Draft, 10 March 2021
    https://w3c.github.io/webappsec-post-spectre-webdev/

    Post-Spectre, we need to adopt some new strategies for safe and secure web development. This document outlines a threat model we can share, and a set of mitigation recommendations.

    TL;DR: Your data must not unexpectedly enter an attacker’s process.

    Reply
  26. Tomi Engdahl says:

    A Spectre proof-of-concept for a Spectre-proof web
    https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html
    In this post, we will share the results of Google Security Team’s
    research on the exploitability of Spectre against web users, and
    present a fast, versatile proof-of-concept (PoC) written in JavaScript
    which can leak information from the browser’s memory. We’ve confirmed
    that this proof-of-concept, or its variants, function across a variety
    of operating systems, processor architectures, and hardware
    generations.. also: https://leaky.page/ Spectre javascript poc

    Reply
  27. Tomi Engdahl says:

    Google engineer urges web devs to step up and secure their code in this data-spilling Spectre-haunted world • The Register
    https://www.theregister.com/2021/03/08/post_spectre_programming/

    Reply
  28. Tomi Engdahl says:

    Google engineer urges web devs to step up and secure their code in this data-spilling Spectre-haunted world
    ‘This is going to be a lot of work … a reasonable set of mitigation primitives exists today, ready and waiting for use’
    https://www.theregister.com/2021/03/08/post_spectre_programming/

    After the disclosure of the 2018 Spectre family of vulnerabilities in modern microprocessor chips, hardware vendor and operating system makers scrambled to reduce the impact of data-leaking side-channel attacks designed to exploit the way chips try to predict future instructions.

    Intel and others rolled out firmware patches, Linux kernel maintainers added capabilities like STIBP (Single Thread Indirect Branch Predictors), and browser makers took steps like reducing the precision of timers.

    Now web security professionals are asking developers to do their part by recognizing that Spectre broke the old threat model and by writing code that reflects the new one.

    Reply
  29. Tomi Engdahl says:

    Spectre exploits in the “wild”
    https://dustri.org/b/spectre-exploits-in-the-wild.html

    Someone was silly enough to upload a working spectre (CVE-2017-5753) exploit for Linux (there is also a Windows one with symbols that I didn’t look at.) on VirusTotal last month, so here is my quick Sunday afternoon lazy analysis.

    The binary has its -h option stripped, likely behind a #define to avoid detection, but some of its parameters are obvious, like specifying what file to leak, or the kernel base address. The authors didn’t check (or care) that the logging function hasn’t been entirely optimized out, leaving a bunch of strings helping in the reversing process.

    Reply
  30. Tomi Engdahl says:

    Linux Kernel Vulnerabilities Can Be Exploited to Bypass Spectre Mitigations
    https://www.securityweek.com/linux-kernel-vulnerabilities-can-be-exploited-bypass-spectre-mitigations

    Recent Linux kernel updates include patches for a couple of vulnerabilities that could allow an attacker to bypass mitigations designed to protect devices against Spectre attacks.

    The Spectre and Meltdown vulnerabilities were disclosed in January 2018, when researchers warned that billions of devices powered by CPUs from Intel, AMD and other vendors were affected. An attacker can exploit the flaws — in some cases remotely — to obtain potentially sensitive data, such as encryption keys and passwords.

    Patches and mitigations have been made available by both hardware and operating system vendors, but many devices are likely still vulnerable to attacks because the patches and mitigations have not been applied. It seems that it’s also still possible to launch attacks due to the fact that some mitigations can be bypassed by attackers.

    Symantec reported on Monday that Piotr Krysiuk, a member of its Threat Hunter team, has identified two new vulnerabilities in the Linux kernel that can be exploited to bypass mitigations for the Spectre vulnerabilities.

    One of the flaws, tracked as CVE-2020-27170, can be leveraged to obtain data from a device’s entire memory, while the second, identified as CVE-2020-27171, can be used to obtain contents from a 4Gb range of kernel memory. Both issues are related to the extended Berkeley Packet Filter (eBPF) technology used by the Linux kernel.

    BFP enables the execution of programs directly in the kernel, but not before these programs are analyzed to ensure they’re safe.This process should also provide protection against Spectre attacks, but the vulnerabilities discovered by the Symantec researcher can be exploited to bypass this protection, allowing a local attacker to obtain potentially sensitive data from the device’s memory.

    Reply
  31. Tomi Engdahl says:

    Newly-Discovered Vulnerabilities Could Allow for Bypass of Spectre Mitigations in Linux
    Bugs could allow a malicious user to access data belonging to other users.
    https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spectre-bypass-linux-vulnerabilities

    The vulnerabilities in question are:

    CVE-2020-27170 – Can reveal contents from the entire memory of an affected computer
    CVE-2020-27171 – Can reveal contents from 4 GB range of kernel memory

    The patches for these bugs were first published on March 17, 2021, and are included with the Linux kernels released on March 20.

    Both vulnerabilities are related to the Linux kernel support for “extended Berkeley Packet Filters” (BPF). BPF allows users to execute user-provided programs directly in the Linux kernel.

    The most serious issue is CVE-2020-27170, which can be abused to reveal content from any location within the kernel memory, all of the machine’s RAM, in other words. Unprivileged BPF programs running on affected systems could bypass the Spectre mitigations and execute speculatively out-of-bounds loads with no restrictions. This could then be abused to reveal contents of the memory via side-channels.
    The second reported issue, CVE-2020-27171, can reveal content from a 4 GB range of kernel memory around some of the structures that are protected. This issue is caused by a numeric error in the Spectre mitigations when protecting pointer arithmetic against out-of-bounds speculations.

    Mitigation

    The patches for these bugs were first published on March 17, 2021 and are included in the following Linux kernel releases:

    Stable 5.11.8 (released March 20, 2021)
    Longterm 5.10.25 (released March 20, 2021)
    Longterm 5.4.107 (released March 20, 2021)
    Longterm 4.19.182 (released March 20, 2021)
    Longterm 4.14.227 (released March 24, 2021)

    Reply
  32. Tomi Engdahl says:

    https://access.redhat.com/security/cve/cve-2020-27170 (CVSS 4.7)
    https://nvd.nist.gov/vuln/detail/CVE-2020-27170
    An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.
    https://access.redhat.com/security/cve/cve-2020-27171 (CVSS 6.0)
    https://nvd.nist.gov/vuln/detail/CVE-2020-27171
    An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d

    Reply
  33. Tomi Engdahl says:

    A couple of weeks later, Google released proof-of-concept (PoC) code for browser-based Spectre attacks.

    https://www.securityweek.com/google-releases-poc-exploit-browser-based-spectre-attack

    Reply
  34. Tomi Engdahl says:

    AMD admits that Zen 3 CPUs are vulnerable to a new Spectre-style attack
    Again?
    https://www.techspot.com/news/89173-amd-admits-zen-3-cpus-vulnerable-new-spectre.html

    AMD has confirmed that a microarchitecture optimization inside Zen 3 CPUs can be exploited in a similar fashion to the Spectre vulnerabilities that plagued Intel CPUs a few generations ago. Disabling the optimization is possible, but will carry a performance penalty that AMD doesn’t believe is worth it for all but the most critical deployments of the processors.

    Update (April 5): Even though AMD was confident enough in not recommending a majority of their customers to disable Predictive Store Forwarding (PSF) for security reasons, Phoronix ran dozens of tests during the weekend using a Ryzen 7 5800X especifically benchmarking for the Zen 3 PSF vulnerability. They conclude that “the geometric mean of all those results was less than a half percent performance loss when disabling this new Zen 3 feature,” or in other words, the performance impact is negligible.

    Reply
  35. Tomi Engdahl says:

    [CVE-2020-12351] BadKarma: Heap-Based Type Confusion (BleedingTooth)

    https://github.com/google/security/advisories/GHSA-h637-c88j-47wq

    [CVE-2020-12352] Linux: Stack-Based Information Leak in A2MP (BleedingTooth)

    https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq

    Reply
  36. Tomi Engdahl says:

    https://www.mikrobitti.fi/uutiset/amdn-suorittimista-loytyi-vakava-haavoittuvuus/ab40186d-af20-45d0-b13a-f6691abb5fdb
    AMD on kertonut, että sen uuteen Zen 3 -arkkitehtuuriin perustuvissa suorittimissa on haavoittuvuus, joka muistuttaa muutama vuosi sitten Intelin suorittimia riivanneita Spectre-haavoittuvuuksia. Techspotin mukaan haavoittuvuuden aiheuttaa suorittimissa käytetty mikroarkkitehtuurin optimointitoiminto.

    Kaikkein haavoittuvimpia ovat sellaiset ohjelmat, joiden tietoturva perustuu sandbox-tekniikkaan.

    Haavoittuvan psf-toiminnon voi kytkeä pois päältä, joskin tämä turvakeino heikentää suoritintehoa hieman. AMD:n mukaan toiminnon kytkeminen pois päältä ei ole suositeltavaa, sillä yhtiön tiedossa ei ole mitään koodia, joka olisi altis psf:n kautta tehdylle hyökkäykselle.

    AMD admits that Zen 3 CPUs are vulnerable to a new Spectre-style attack
    Again?
    https://www.techspot.com/news/89173-amd-admits-zen-3-cpus-vulnerable-new-spectre.html

    AMD has confirmed that a microarchitecture optimization inside Zen 3 CPUs can be exploited in a similar fashion to the Spectre vulnerabilities that plagued Intel CPUs a few generations ago. Disabling the optimization is possible, but will carry a performance penalty that AMD doesn’t believe is worth it for all but the most critical deployments of the processors.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*