Google and Microsoft Reveal New Spectre Attack

[steven36]

Security researchers from Google and Microsoft have found two new variants of the Spectre attack that affects processors made by AMD, ARM, IBM, and Intel.

 

 

Rumors about this new flaw leaked online at the start of the month in a German magazine, but actual details were published today.

 

AMD, ARM, Intel, Microsoft, and Red Hat have published security advisories at the time of writing, containing explanations of how the bugs work, along with mitigation advice.

Bug known as SpectreNG

The bugs —referred to in the past weeks as SpectreNG— are related to the previous Meltdown and Spectre bugs discovered last year and announced at the start of 2018.

Both Google and Microsoft researchers discovered the bug independently. The bugs work similarly to the Meltdown and Spectre bugs, a reason why they were classified as "variant 3a" and "variant 4" instead of separate vulnerabilities altogether.

 

Quote

Variant 1: bounds check bypass (CVE-2017-5753) aka Spectre v1
Variant 2: branch target injection (CVE-2017-5715) aka Spectre v2
Variant 3: rogue data cache load (CVE-2017-5754) aka Meltdown
Variant 3a: rogue system register read (CVE-2018-3640)
Variant 4: speculative store bypass (CVE-2018-3639)

 

The most important of these two is Variant 4. Both bugs occur for the same reason —speculative execution— a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data.

The difference is that Variant 4 affects a different part of the speculative execution process —the data inside the "store buffer" inside a CPU's cache. Red Hat has published a YouTube video explaining how the bug affects modern CPUs.

 

https://www.youtube.com/embed/Uv6lDgcUAC0

 

As Red Hat breaks it down in a more technical explanation, the vulnerability...

Quote

...relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.

 

"An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries," Microsoft said in a similar advisory, confirming a Red Hat assessment that the flaw could be used to break out of sandboxed environments.

Quote

So here is #spectre variant 4. The processor speculates that your write operation does not change anything and continues with the outdated (possibly non-sanitized) value from L1.https://t.co/ZcjaTSrLNW

— Daniel Gruss (@lavados) May 21, 2018

 

 

Google's Jann Horn, the man behind the Meltdown and Spectre flaws, has also published proof-of-concept code.

 

Intel and AMD x86 chipsets, along with POWER 8, POWER 9, System z, and ARM CPUs are known to be affected. Intel has published a detailed list of affected CPU series in a security advisory.

 

Variant 4 can be exploited remotely, via JavaScript code in the browser. Microsoft said it did not detect any exploitation attempts, though.

Additional patches released

Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel Corporation, said that the original Meltdown and Spectre patches from January 2018 should be enough to mitigate Variant 4 as well.

 

Nonetheless, Intel also announced new patches.

 

"We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks," Culbertson said. "This mitigation will be set to off-by-default, providing customers the choice of whether to enable it."

 

"In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent," Culbertson added.

 

Red Hat and Microsoft announced new patches as well (see links to security advisories for mitigation advice).

 

Source

[KRS]

The premature disclosure of Spectre and Meltdown security flaws lead to chaos for vendors and customers early last year. Manufacturers like Apple, Microsoft, and Ubuntu were forced to release rushed mitigations to combat the problem, which also resulted in some botched updates and performance hits for most machines.

Now, several companies including Microsoft, Google, AMD, ARM, Intel, and Red Hat have jointly disclosed details about Spectre Variant 4, mitigations for which could result in yet another performance hit.

 

The US-CERT has detailed information about two new variants of Spectre, namely 3A and 4. The former was originally documented by ARM back in January, and is dubbed "Rogue System Register Read". It allows attackers with local access to a machine to utilize side-channel analysis and read sensitive information and other system parameters.

 

Meanwhile, Variant 4 has been labeled "Speculative Store Bypass", and it allows those with malicious intent to read older system values in a CPU stack or other memory locations. Although it is relatively difficult to implement, if an attack is successful, the attacker will be able to arbitrarily read privileged data and speculatively execute older system commands. This variant was jointly disclosed by Google's Project Zero and Microsoft's Security Response Center.

Intel says that it has released bundled microcode updates for Variants 3A and 4 in beta form to OEMs, and customers should expect a performance hit of 2-8%. The update is expected to roll out over the next few weeks.

Similarly, AMD notes that:

Microsoft is completing final testing and validation of AMD-specific updates for Windows client and server operating systems, which are expected to be released through their standard update process. Similarly, Linux distributors are developing operating system updates for SSB. AMD recommends checking with your OS provider for specific guidance on schedules.

Based on the difficulty to exploit the vulnerability, AMD and our ecosystem partners currently recommend using the default setting that maintains support for memory disambiguation.

We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date.

On the other hand, Microsoft says that it has not determined a vulnerable code pattern in its products yet, however, it will be further researching this particular area, and will release updates if required.

It's certainly troubling to see that Spectre and Meltdown having such latent effects, workarounds for which could result in performance hits. However, companies now working together in a more coordinated way to jointly disclose vulnerabilities and release mitigations will be encouraging to customers as well, particularly after the bungled disclosure in January.

 

Source

[Rusty]

I wonder what else is lurking just around the corner that we havent heard about yet?

[Ryrynz]

Probably things nobody knows about yet?

[BioHazard]

hopefully I'm safe for now 

[Pete 12]

You are using an old release ..........release #8 is latest !

Better use latest for this security-stuff...............

[humble3d]

Side-Channel Vulnerability Variants 3a and 4

Alert (TA18-141A)

Side-Channel Vulnerability Variants 3a and 4

 

CERT LINKS VIA THE LINK AT BOTTOM...

 

 

Original release date: May 21, 2018 | Last revised: May 22, 2018

Systems Affected

CPU hardware implementations

Overview

On May 21, 2018, new variants of the side-channel central processing unit (CPU) hardware vulnerabilities known as Spectre and Meltdown were publicly disclosed. These variants—known as 3A and 4—can allow an attacker to obtain access to sensitive information on affected systems.
Description

 

Common CPU hardware implementations are vulnerable to the side-channel attacks known as Spectre and Meltdown. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data.

 

Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information.

 

Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side-channel vulnerability could allow less privileged code to

 

    Read arbitrary privileged data; and

    Run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side-channel methods.

 

Corresponding CVEs for Side-Channel Variants 1, 2, 3, 3a, and 4 are found below:

 

    Variant 1: Bounds Check Bypass – CVE-2017-5753
    Variant 2: Branch Target Injection – CVE-2017-5715
    Variant 3: Rogue Data Cache Load – CVE-2017-5754
    Variant 3a: Rogue System Register Read – CVE-2018-3640  
    Variant 4: Speculative Store Bypass – CVE-2018-3639

Impact

Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to obtain access to sensitive information on affected systems.

Solution
Mitigation

NCCIC recommends users and administrators

    Refer to their hardware and software vendors for patches or microcode,
    Use a test environment to verify each patch before implementing, and
    Ensure that performance is monitored for critical applications and services.

        Consult with vendors and service providers to mitigate any degradation effects, if possible.

        Consult with Cloud Service Providers to mitigate and resolve any impacts resulting from host operating system patching and mandatory rebooting, if applicable.

 

The following table contains links to advisories and patches published in response to the vulnerabilities.

This table will be updated as information becomes available.

Link to Vendor Information    Date Added
AMD    May 21, 2018
ARM    May 21, 2018
Intel    May 22, 2018
Microsoft    May 21, 2018
Redhat    May 21, 2018

References

    Google Project Zero Blog
    Bounds Check Bypass – CVE-2017-5753
    Branch Target Injection – CVE-2017-5715
    Rogue Data Cache Load – CVE-2017-5754
    Rogue System Register Read – CVE-2018-3640
    Speculative Store Bypass – CVE-2018-3639
    TA18-004A – Meltdown and Spectre Side-Channel Vulnerability Guidance

Revisions

    May 21, 2018: Initial version
    May 22, 2018: Added information and link to Intel in table

 

https://www.us-cert.gov/ncas/alerts/TA18-141A

 

[DKT27]

Another vulnerability found, another fix that cuts the performance. By now, the CPU makers should say their performance will be cut in half of which it used to be.

 

Thankfully, last time I checked, most games do not have any performance impact on it.

[Jordan]

Topics merged

[zoran]

If you thought that you are done patching your devices against Meltdown or Spectre exploits, you might want to reconsider. Patches for some hardware configurations and operating systems were released by Microsoft, Intel and hardware manufacturers ever since the vulnerabilities were revealed in early 2018.

Hot on the heels of the news of newly discovered Spectre Next Generation vulnerabilities comes news of a new threat that Microsoft and Google disclosed recently.

AMD published a whitepaper which you may access here.

Intel published information on the company's Newsroom website about Spectre Variant 4. The new vulnerability affects processors by Intel, AMD and ARM and uses speculative execution just like other Spectre variants disclosed earlier this year.

 

 

The web browser is the most likely attack vector for Variant 4 as the researchers demonstrated the vulnerability in a language-based runtime environment.

Like the other GPZ variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. In this case, the researchers demonstrated Variant 4 in a language-based runtime environment. While we are not aware of a successful browser exploit, the most common use of runtimes, like JavaScript, is in web browsers.

Intel is not ware of exploits in the wild and believes that mitigations deployed by browser developers to protect or mitigate against previous Spectre variants help mitigate Spectre Variant 4 attacks as well.

Still, Intel and the company's software partners, offer "additional mitigation for Variant 4". In other words, microcode and software updates. OEM manufacturers received beta versions of the microcode update already and Intel announced that it plans to release the final versions in the coming weeks.

The company plans to release the update in an off-state by default giving customers the option to enable it, or not. The updates won't affect performance of systems they are installed on in off-state. System performance may drop by 2% to 8% in benchmarks if the mitigation is enabled according to Intel.

The same update includes microcode that protects against Spectre Variant 3a. Intel made the decision to bundle the two updates to "streamline the process for our industry partners and customers".

Additional information about affected products is available on the Q2 2018 Speculative Execution Side Channel Update page on Intel's Security Center website. The page lists all affected Intel processors, recommendations, and other information.

 

sorce: ghacks

[DKT27]

@zoran: Topics merged.