Published on August 7th, 2019 📆 | 6670 Views ⚑0
Intel, AMD chips running Windows potentially vulnerable to scary Spectre variant • DigitalMunition
Spectre – a family of data-leaking side-channel vulnerabilities arising from speculative execution that was disclosed last year and affects various vendors’ chips – has a new sibling that bypasses previous mitigations.
Designated CVE-2019-1125 and rated moderate in terms of severity, the issue – limited to AMD and Intel x86-64 systems running Windows – could allow a local attacker to work around protections like kernel address space isolation to read sensitive kernel memory.
That means, as usual, malware or a rogue logged-in user on a vulnerable system could potentially swipe secrets such as passwords and encryption keys out of RAM. Note that Spectre vulnerabilities are not, to the best of our knowledge, being exploited in the wild by software nasties, so this latest discovery is primarily another fascinating look into the world of processor design and its blunders.
According to security biz BitDefender, whose researchers found the flaw, a hardware fix isn’t viable and the issue has to be addressed at the operating system level. The outfit has dubbed the flaw “SWAPGS Attack,” and illustrated its inner workings here.
As Red Hat explains in its write-up, SWAPGS refers to a system instruction that, as its name suggests, “swap[s] the current user space value of ‘GS’ (a memory segment register) with the value intended to be used during kernel operations.” It’s available only in 64-bit mode on x86 chips.
SWAPGS doesn’t validate its value and therein lies the problem. “As a result,” Red Hat says, “it is possible that these conditional branches in the Linux kernel entry code may mis-speculate into code that will not perform the SWAPGS, resulting in a window of speculative execution during which the wrong GS is used for dependent memory operations.”
Such mis-speculation may then be revealed through side-channel timing analysis, resulting in the disclosure of kernel memory.
The vulnerability affects Windows and associated VM guests and hosts. Linux is theoretically vulnerable in that it contains a gadget (code-construct) that could be used in a potential attack. However, BitDefender notes that the gadget lies within the Non-Maskable Interrupt (NMI) handler and would therefore be difficult, if not impossible, to attack. Apple hardware isn’t believed to be affected.
Data-spewing Spectre chip flaws can’t be killed by software alone, Google boffins conclude
Microsoft patched the hole in its Windows operating system on July 9, and on Tuesday this week published an advisory to that effect. Its software revision limits how the CPU speculatively accesses memory.
“To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application,” Microsoft said in its advisory. “The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further.”
Red Hat – though it insists it isn’t aware of any way to exploit this vulnerability on Linux kernel-based systems – has patched its Enterprise Linux versions 5-8, Atomic Host, Enterprise MRG 2, OpenShift Online v3, Red Hat Virtualization, Red Hat OpenStack Platform and Red Hat OpenShift Container Platform 4. The company insists its fix has only “a minimal performance impact” that doesn’t show up in current benchmarks.
Neither AMD nor Intel plan to issue microcode updates because they believe the vulnerability can be adequately addresses in software.
Intel, in a statement provided to DigitalMunition, said Microsoft’s patch resolved the problem, which applies to x86-64 chips since Ivy Bridge (2012). “Intel, along with industry partners, determined the issue was better addressed at the software level and connected the researchers to Microsoft,” the chipmaker said. “It takes the ecosystem working together to collectively keep products and data more secure and this issue is being coordinated by Microsoft.”
AMD is even less concerned.
“Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS,” AMD said in a statement on its website. “For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1.”
BitDefender’s white paper describes two attack scenarios: when SWAPGS is not getting executed speculatively though it should, and when SWAPGS is getting speculatively executed but shouldn’t.
Each of these has two variants: where the attacker tests if a value is located at a specific kernel address and where the attacker infers the value at a randomly selected kernel address. It’s only this second variant of the second attack scenario pertains to AMD. ®
MCubed – The ML, AI and Analytics conference from DigitalMunition.