SBN

Spectre And Meltdown Still Haunting Intel/AMD

The ongoing saga of the Spectre and Meltdown vulnerabilities has just taken a new turn. Discovered by Google Project Zero (GPZ) with the help of others, the attacks affected everything from desktops, laptops and mobile devices to infrastructure-as-a-service. These flaws are present in nearly all modern microprocessors and could allow an attacker to access privileged memory by abusing a feature called speculative execution. We’ve been following the ongoing developments of these vulnerabilities from their first disclosure back in January 2018. The vulnerability has continued to evolve – variants of Spectre have surfaced utilizing the speculative execution or side-channel attack method called CVE-2018-3639 and less dangerous CVE-2018-3640.

The new derivatives are called Variant 3a (Rogue System Register Read (RSRE)) and Variant 4 (Speculative Store Bypass) and were discovered and jointly released by GPZ and Microsoft’s Security Response Center (MSRC).

Impact assessment

According to CERT, Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to obtain access to sensitive information in affected systems. Many companies like Intel, Red Hat and Microsoft have issued updates to patch the vulnerability. But the fixes haven’t always worked as intended, and some have experienced computer problems.

Moving quickly, Intel has already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors. And they expect it will be released into production BIOS and software updates over the coming weeks. This mitigation will be set to off by default, providing customers the choice of whether to enable it. With the configuration set to off, they have observed no performance impact. However, if enabled, they observed a performance impact of approximately two to eight percent based on overall scores for benchmarks.

Vulnerability details

Intel is classifying Variant 3a as a medium-risk vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information.

Intel is classifying Variant 4 as a medium-risk vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. Many of the exploits it uses in web browsers were fixed in the original set of patches.

Exploitation

Intel has stated they haven’t received any reports of this method being used in real-world exploits. However, mitigations techniques that were deployed for Variant 1 back in January can also be applied to Variant 4, which are already available. Additionally, Intel and its partners are providing a combination of microcode and software updates for mitigating Variant 4.

According to a Microsoft Security release, an attacker could read privileged data across trust boundaries with a successful exploit: “Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.” With that being said Microsoft has also stated, “At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate.”

Red Hat’s VP of the operating system platform, Denise Dumas, issued a statement saying: “These vulnerabilities could allow a malicious actor to steal sensitive information from almost any computer, mobile device, or cloud deployment. Importantly, several technology industry leaders, including Red Hat, have worked together to create patches that correct this issue, underscoring the value of industry collaboration. It is key that everyone — from consumers to enterprise IT organizations — apply the security updates they receive. Because these security updates may affect system performance, Red Hat has included the ability to disable them selectively in order to better understand the impact on sensitive workloads.”

Urgently required actions

Refer to hardware and software vendors for patches or microcode.

As patches are released, Tenable Research will develop plugins and checks to assist our clients.

Identifying affected systems

  • Refer to hardware and software vendors’ releases.

Get more information

*** This is a Security Bloggers Network syndicated blog from Tenable Blog authored by Steve Tilson. Read the original post at: http://feedproxy.google.com/~r/tenable/qaXL/~3/VaSp0DH8k5c/spectre-and-meltdown-still-haunting-intelamd