https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
A fundamental design flaw in Intel’s processor chips related to virtual memory system (Intel x86-64 hardware) allows normal user programs (even JavaScript in web browsers) to discern to some extent the layout or contents of protected kernel memory areas.
It is understood the bug is present in modern Intel processors produced in the past decade. It appears a microcode update can’t address it, so it has to be fixed in software at the OS level. This has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug, which is expected to cause 5 to 30 per cent slow down of your computer on next update!
Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday. Patches for the Linux kernel are available. Apple’s 64-bit macOS, will also need to be updated.
This is bad news for Intel. Last year they had AMT vulnerability remote exploit and now this new blow in Intel security. I don’t think that computer buyers like that their computers become slower!
Details of the vulnerability within Intel’s silicon are under wraps and are expected to be released later this month – so follow the comments for updates.
565 Comments
Tomi Engdahl says:
Zombieload v2 is the codename of a vulnerability that allows malware or a malicious threat actor to extract information processed inside a CPU, information to which they normally shouldn’t be able to access due to the security walls present inside modern-day CPUs
Windows & Linux get options to disable Intel TSX to prevent Zombieload v2 attacks
https://www.zdnet.com/article/windows-linux-get-options-to-disable-intel-tsx-to-prevent-zombieload-v2-attacks/
Disclosure of new Zombieload v2 vulnerability prompts OS makers to react with ways to disable Intel’s TSX technology.
Both Microsoft and the Linux kernel teams have added ways to disable support for Intel Transactional Synchronization Extensions (TSX).
TSX is the Intel technology that opens the company’s CPUs to attacks via the Zombieload v2 vulnerability.
https://www.zdnet.com/article/intels-cascade-lake-cpus-impacted-by-new-zombieload-v2-attack/
Tomi Engdahl says:
https://techcrunch.com/2019/11/12/intel-cascade-lake-zombieload/
Tomi Engdahl says:
https://gizmodo.com/intel-reportedly-warned-of-critical-chip-security-flaws-1839807262
Tomi Engdahl says:
https://www.zdnet.com/article/top-linux-developer-on-intel-chip-security-problems-theyre-not-going-away/
Tomi Engdahl says:
Intel Patches Plundervolt, High Severity Issues in Platform Update
https://www.bleepingcomputer.com/news/security/intel-patches-plundervolt-high-severity-issues-in-
platform-update/
Intel addressed 14 security vulnerabilities during the December 2019
Patch Tuesday, with seven of them being high and medium severity
security flaws impacting multiple platforms including Windows and
Linux. The security issues patched today were detailed in the 9
security advisories published by Intel on its Product Security Center,
with the company having delivered them to customers through the Intel
Platform Update (IPU) process. The vulnerabilities disclosed today
could allow authenticated or privileged users to potentially enable
information disclosure, trigger denial of service states, escalate
privileges, or execute malicious code at an elevated level of
privilege via local access. Each advisory comes with a detailed list
of all affected products as well as recommendations for vulnerable
products, and also include contact details for users and researchers
who would want to report other vulnerabilities found in Intel branded
tech or products.
Hackers Can Mess With Voltages to Steal Intel Chips’ Secrets
https://www.wired.com/story/plundervolt-intel-chips-sgx-hack/
A new attack called Plundervolt gives attackers access to the
sensitive data stored in a processor’s secure enclave. When thieves
want to steal treasures surrounded by sensors and alarms, they
sometimes resort to cutting the power, disrupting the flow of
electricity to those expensive security systems. It turns out that
hackers can pull off a similar trick: breaking the security mechanisms
of Intel chips by messing with their power supply, and exposing their
most sensitive secrets.
But by momentarily undervolting a
processor by 25 or 30 percent, and precisely timing that voltage
change, an attacker can cause the chip to make errors in the midst of
computations that use secret data. And those errors can reveal
information as sensitive as a cryptographic key or biometric data
stored in the SGX enclave. “Writing to memory takes power, ” says
Flavio Garcia, a computer scientist at the University of Birmingham
who, along with his colleagues, will present the Plundervolt research
at IEEE Security and Privacy next year. “So for an instant, you reduce
the CPU voltage to induce a computation fault.”. Read also:
https://www.theregister.co.uk/2019/12/10/intel_sgx_youve_been_plunderstruck/
Tomi Engdahl says:
Intel Is Patching Its ‘Zombieload’ CPU Security Flaw For the Third Time
https://it.slashdot.org/story/20/01/27/2126231/intel-is-patching-its-zombieload-cpu-security-flaw-for-
the-third-time?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+
%28%28Title%29Slashdot+%28rdf%29%29
For the third time in less than a year, Intel has disclosed a new set of vulnerabilities related to the
speculative functionality of its processors. On Monday, the company said it will issue a software update
“in the coming weeks” that will fix two more microarchitectural data sampling (MDS) or Zombieload flaws.
This latest update comes after the company released two separate patches in May and November of last year.
IPAS: INTEL-SA-00329
https://blogs.intel.com/technology/2020/01/ipas-intel-sa-00329/#gs.upo7m1
Intel is patching its Zombieload CPU security flaw for the third time
Security researchers say the company needs to change its approach.
https://www.engadget.com/2020/01/27/intel-third-mds-patch/
For the third time in less than a year, Intel has disclosed a new set of vulnerabilities related to the
speculative functionality of its processors. On Monday, the company said it will issue a software update
“in the coming weeks” that will fix two more microarchitectural data sampling (MDS) or Zombieload flaws.
This latest update comes after the company released two separate patches in May and November of last year.
Tomi Engdahl says:
CacheOut
Leaking Data on Intel CPUs via Cache Evictions
https://cacheoutattack.com/
Leaking Data on Intel CPU’s via Cache Evictions
CacheOut, a new speculative execution attack that is capable of leaking data from Intel CPUs across many security boundaries. Despite Intel’s attempts to address previous generations of speculative execution attacks, CPUs are still vulnerable, allowing attackers to exploit these vulnerabilities to leak sensitive data.
Moreover, unlike previous MDS issues, an attacker can exploit the CPU’s caching mechanisms to select what data to leak, as opposed to waiting for the data to be available. CacheOut can violate nearly every hardware-based security domain, leaking data from the OS kernel, co-resident virtual machines, and even SGX enclaves.
Intel acknowledgedthe issue and has assignedCVE-2020-0549, referring to theissue as L1 Data Eviction Sampling (L1DES) with a CVSSscore of 6.5 (medium).
Tomi Engdahl says:
More dangerous vulnerabilities in Intel CPUs
https://www.pandasecurity.com/mediacenter/news/more-dangerous-vulnerabilities-intel-cpus/
Intel has released information about two potentially dangerous flaws
in the processor architecture of its CPUs. The chip manufacturer had
already provided security updates for similar gaps in May and November
2019. Although the new vulnerabilities seem to be less critical than
the previous ones, side-channel attacks are still possible.
https://www.pandasecurity.com/mediacenter/news/more-dangerous-vulnerabilities-intel-cpus/
The chip manufacturer had already provided security updates for similar gaps in May and November 2019.
The current vulnerability allows the exploit to selectively choose which data it wants to access. The
attack—referred to by Intel as L1D Eviction Sampling (L1DES)—causes an exception: data loaded during a
running process of a speculative execution is discarded due to a triggered error. The attackers have now
modified their approach and can load the data to be read out into unused filling buffers.
Until now, reducing the vulnerability has been associated with a severe performance degradation because,
according to VUSec (Systems and Network Security Group at the Vrije University of Amsterdam), the
processor’s L1D cache has to be completely emptied again at each context switch. This is mainly relevant
for cloud operators, because attackers can read data beyond a virtual machine. With the help of the new
microcode update, the flaws in the architecture can be corrected in the coming weeks.
Affected CPUs
it is mainly CPUs manufactured after 2015 that are affected: the weakness has existed in Intel processors
since the Skylake generation (Core i-6000), as well as in the current desktop generation Coffee Lake
Refresh (Core i-9000) and all Xeon SP CPUs (Skylake SP, Cascade Lake SP). Only Ice Lake is not affected.
Sources: https://www.heise.de/security/meldung/Sicherheitsluecken-in-Intel-CPUs-Modifizierte-Angriffe-erfordern-BIOS-Updates-4647081.html
Tomi Engdahl says:
Color me surprised. Intel CPUs and chipsets have a concerning flaw that’s unfixable. Intel x86 Root of Trust: loss of trust https://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html FYI, this is a new bug apart from existing CPU bugs.
Tomi Engdahl says:
Intel CPUs vulnerable to new LVI attacks
https://www.zdnet.com/article/intel-cpus-vulnerable-to-new-lvi-attacks/
Researchers say Intel processors will need another round of silicon
chip re-designs to protect against new attack.
Named Load Value Injection, or LVI for short, this is a new class of theoretical attacks against Intel
CPUs.
While the attack has been deemed only a theoretical threat, Intel has released firmware patches to
mitigate attacks against current CPUs, and fixes will be deployed at the hardware (silicon design) level
in future generations.
Besides Meltdown and Spectre, other transient attacks were eventually discovered during the past two
years, including the likes of Foreshadow, Zombieload, RIDL, Fallout, and LazyFP.
LVI’s position in all these attacks is, technically, of a reverse-Meltdown. While the original Meltdown
bug allowed attackers to read an app’s data from inside a CPU’s memory while in a transient state, LVI
allows the attacker to inject code inside the CPU and have it executed as a transient “temporary”
operation, giving attackers more control over what happens.
Meltdown also needs a hardware fix
But the biggest finding related to this research paper is about how the Meltdown & LVI will need to be addressed.
When Meltdown was fist disclosed in January 2018, Intel said that a firmware patch was all that was needed, while a change of the CPU’s silicon design was only needed for the class of Spectre attacks.
Now, researchers say this is not true anymore. Both the academic research team and the Bitdefender team say that the class of Meltdown and LVI attacks also now needs a hardware fix.
LVI bypasses some Meltdown fixes
“We exploit the same hardware operations as Meltdown,” Daniel Gruss, an assistant professor at the Graz University of Technology, and a member of the academic research team told ZDNet.
“Therefore, if Meltdown works, LVI works as well.”
Tomi Engdahl says:
Intel SGX is vulnerable to an unfixable flaw that can steal crypto keys and more | Ars Technica
https://arstechnica.com/information-technology/2020/03/hackers-can-steal-secret-data-stored-in-intels-sgx-secure-enclave/
For the past 26 months, Intel and other CPU makers have been assailed by Spectre, Meltdown, and a steady flow of follow-on vulnerabilities that make it possible for attackers to pluck passwords, encryption keys, and other sensitive data out of computer memory. On Tuesday, researchers disclosed a new flaw that steals information from Intel’s SGX, short for Software Guard eXtensions, which acts as a digital vault for securing users’ most sensitive secrets.
On the surface, Load Value Injection, as researchers have named their proof-of-concept attacks, works in ways similar to the previous vulnerabilities and accomplishes the same thing. All of these so-called
transient-execution flaws stem from speculative execution, an optimization in which CPUs attempt to guess future instructions before they’re called. Meltdown and Spectre were the first transient execution
exploits to become public. Attacks named ZombieLoad, RIDL, Fallout, and Foreshadow soon followed.
Foreshadow also worked against Intel’s SGX.
Tomi Engdahl says:
https://arstechnica.com/information-technology/2020/03/hackers-can-steal-secret-data-stored-in-intels-sgx-secure-enclave/
Tomi Engdahl says:
https://thehackernews.com/2020/03/amd-processors-vulnerability.html
Tomi Engdahl says:
Dan Goodin / Ars Technica:
New Intel chip flaws disclosed: one can leak secure enclave data and the second allows cross core info
leakage; both have patches that partially fix the issues
Plundering of crypto keys from ultrasecure SGX sends Intel scrambling again
Intel’s speculative execution flaws go deeper and are harder to fix than we thought.
https://arstechnica.com/information-technology/2020/06/new-exploits-plunder-crypto-keys-and-more-from-
intels-ultrasecure-sgx/
For the past two years, modern CPUs—particularly those made by Intel—have been under siege by an unending series of attacks that make it possible for highly skilled attackers to pluck passwords, encryption keys, and other secrets out of silicon-resident memory. On Tuesday, two separate academic teams disclosed two new and distinctive exploits that pierce Intel’s Software Guard eXtension, by far the most sensitive region of the company’s processors.
Tomi Engdahl says:
Intel CPUs Vulnerable to New ‘SGAxe’ and ‘CrossTalk’ Side-Channel
Attacks
https://thehackernews.com/2020/06/intel-sgaxe-crosstalk-attacks.html
Cybersecurity researchers have discovered two distinct attacks that
could be exploited against modern Intel processors to leak sensitive
information from the CPU’s trusted execution environments (TEE)..
Called SGAxe, the first of the flaws is an evolution of the previously
uncovered CacheOut attack (CVE-2020-0549) earlier this year that
allows an attacker to retrieve the contents from the CPU’s L1 Cache..
see also https://cacheoutattack.com/
Tomi Engdahl says:
https://www.io-tech.fi/uutinen/intelin-prosessoreista-loytyi-kaksi-uutta-haavoittuvuutta-armin-prosessoreista-yksi/
Tomi Engdahl says:
https://arstechnica.com/information-technology/2020/06/new-exploits-plunder-crypto-keys-and-more-from-intels-ultrasecure-sgx/
https://www.zdnet.com/article/arm-cpus-impacted-by-rare-side-channel-attack/
Tomi Engdahl says:
https://techxplore.com/news/2020-06-intel-chips-flaws.html
Tomi Engdahl says:
https://hackaday.com/2020/06/16/disable-intels-backdoor-on-modern-hardware/
Tomi Engdahl says:
Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks
https://thehackernews.com/2020/08/foreshadow-processor-vulnerability.html
The new research explains microarchitectural attacks were actually
caused by speculative dereferencing of user-space registers in the
kernel, which not just impacts the most recent Intel CPUs with the
latest hardware mitigations, but also several modern processors from
ARM, IBM, and AMD previously believed to be unaffected.
Tomi Engdahl says:
BLINDSIDE – A Speculative Execution Attack
https://www.vusec.net/projects/blindside/
BlindSide allows attackers to hack blind in the Spectre era. That is,
given a simple buffer overflow in the kernel and no additional info
leak vulnerability, BlindSide can mount BROP-style attacks in the
speculative execution domain to repeatedly probe and derandomize the
kernel address space, craft arbitrary memory read gadgets, and enable
reliable exploitation.. POC video
https://www.youtube.com/watch?v=m-FUIZiRN5o. whitepaper
https://download.vusec.net/papers/blindside_ccs20.pdf
Tomi Engdahl says:
New BlindSide attack uses speculative execution to bypass ASLR
https://www.zdnet.com/article/new-blindside-attack-uses-speculative-execution-to-bypass-aslr/
New BlindSide technique abuses the CPU’s internal performance-boosting
feature to bypass OS security protection.
Tomi Engdahl says:
Complexity has broken computer security, says academic who helped spot Meltdown and Spectre flaws
Graz University of Tech’s Daniel Gruss thinks natural sciences can save us
https://www.theregister.com/2020/10/02/daniel_gruss_complexity_broke_security/
Complexity has broken cybersecurity, but a reappraisal of computer science can keep us safe.
So says Daniel Gruss, assistant professor in the Secure Systems group at Austria’s Graz University of Technology. Gruss and his colleagues discovered some of the biggest recent security snafus, including the Meltdown and Spectre microprocessor design flaws, a working Rowhammer exploit, attacks on Intel SGX including Plundervolt, and many more besides.
Tomi Engdahl says:
In a first, researchers extract secret key used to encrypt Intel CPU code
Hackers can now reverse engineer updates or write their own custom firmware.
https://arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/
Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they’re secured.
The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of bugs. Having a decrypted copy of an update may allow hackers to reverse engineer it and learn precisely how to exploit the hole it’s patching. The key may also allow parties other than Intel—say a malicious hacker or a hobbyist—to update chips with their own microcode, although that customized version wouldn’t survive a reboot.
“At the moment, it is quite difficult to assess the security impact,” independent researcher Maxim Goryachy said in a direct message. “But in any case, this is the first time in the history of Intel processors when you can execute your microcode inside and analyze the updates.”
Tomi Engdahl says:
Hackers Can Now Reverse Engineer Intel Updates Or Write Their Own Custom Firmware
https://developers.slashdot.org/story/20/10/28/217212/hackers-can-now-reverse-engineer-intel-updates-or-write-their-own-custom-firmware?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
In a statement, Intel officials wrote: “The issue described does not represent security exposure to customers, and we do not rely on obfuscation of information behind red unlock as a security measure. In addition to the INTEL-SA-00086 mitigation, OEMs following Intel’s manufacturing guidance have mitigated the OEM specific unlock capabilities required for this research. The private key used to authenticate microcode does not reside in the silicon, and an attacker cannot load an unauthenticated patch on a remote system.”
Intel® Management Engine Critical Firmware Update (Intel-SA-00086)
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
Tomi Engdahl says:
https://arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/
Tomi Engdahl says:
Meltdown & Spectre: 2 Ways Your Banking Device Is Vulnerable
https://www.finance-monthly.com/amp/2018/01/meltdown-spectre-2-ways-your-banking-device-is-vulnerable/
Tomi Engdahl says:
Intel may have just shed its most intimate CPU secrets
By Anthony Spadafora
First Published 1 day ago
https://www.techradar.com/news/intel-may-have-just-shed-its-most-intimate-cpu-secrets
Researchers have extracted the RC4 key used by Intel to encrypt CPU code
Tomi Engdahl says:
#TBT: These two classes of hacks uncovered a way for information to leak out through the difference between what software is supposed to do and how it actually does those things. There’s every reason to believe that more ways will be uncovered.
How the Spectre and Meltdown Hacks Really Worked
https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked
These types of attacks, called Meltdown and Spectre, were no ordinary bugs. At the time it was discovered, Meltdown could hack all Intel x86 microprocessors and IBM Power processors, as well as some ARM-based processors. Spectre and its many variations added Advanced Micro Devices (AMD) processors to that list. In other words, nearly the whole world of computing was vulnerable.
And because speculative execution is largely baked into processor hardware, fixing these vulnerabilities has been no easy job. Doing so without causing computing speeds to grind into low gear has made it even harder.
Tomi Engdahl says:
This 22-Year-Old Discovered How To Hack Billions Of Devices Globally Using One Of The Worst Chip Flaws In History
https://www.iflscience.com/technology/this-22yearold-discovered-how-to-hack-billions-of-devices-globally/
Tomi Engdahl says:
This should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
https://www.extremetech.com/computing/317512-microsoft-pluton-chip-will-bring-xbox-like-security-to-windows-pcs?utm_campaign=trueAnthem%3A+Manual&utm_medium=trueAnthem&utm_source=facebook
Microsoft hopes to improve PC platform security, and it’s turning to CPU manufacturers to help it do that. The Windows maker has a new security chip design called Microsoft Pluton, and it’s probably coming to your next PC whether you want it or not. Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.
Microsoft says it started working on Pluton to address the troubling trend of CPU-based attacks like Spectre and Meltdown. Currently, many Windows PCs have a Trusted Platform Module (TPM), which is a separate chip someplace on the motherboard that the CPU uses to secure hardware and cryptographic keys. However, you can purchase expensive circumvention kits that physically tap the signal between the CPU and TPM to extract privileged data. Hypothetically, Pluton should block such attack vectors because it’s part of the CPU.
Devices running on CPUs with the Pluton module should be much harder to hack in the same way the Xbox One was harder to hack than previous versions of the console. That’s actually where Microsoft took its inspiration. The Xbox has an integrated security module that makes it harder to play pirated games. There are plenty of arguments against that sort of heavy-handed DRM, but Microsoft’s engineers learned a great deal about security strategies from the Xbox. Bringing that know-how to the PC could solve a lot of problems… and maybe introduce a few new ones.
Not everyone is over the moon about Pluton, which uses the same API as the standard TPM. It would be possible to use Pluton to run a digital rights management (DRM) scheme that is much harder to crack. Microsoft says that’s not its goal, but there’s nothing stopping someone from doing that. The integration of Pluton with CPU hardware also gives Microsoft some level of access to your hardware, even if you don’t use Windows. Microsoft already uses Pluton in its Linux-based Azure Sphere devices
Tomi Engdahl says:
Spectre exploits in the “wild”
https://dustri.org/b/spectre-exploits-in-the-wild.html
Someone was silly enough to upload a working spectre (CVE-2017-5753)
exploit for Linux (there is also a Windows one with symbols that I
didn’t look at.) on VirusTotal last month, so here is my quick Sunday
afternoon lazy analysis.. In my lab, on a vulnerable Fedora, the
exploit is successfully dumping /etc/shadow in a couple of minutes.
Interestingly, there are checks to detect SMAP and abort if it’s
present. I didn’t manage to understand why the exploit was failing in
its presence.. Also
https://therecord.media/first-fully-weaponized-spectre-exploit-discovered-online/
“But while Voisin did not want to name the exploit author, several
people were not as shy. Security experts on both Twitter and news
aggregation service HackerNews were quick to spot that the new Spectre
exploit might be a module for CANVAS, a penetration testing tool
developed by Immunity Inc.
Tomi Engdahl says:
https://dustri.org/b/spectre-exploits-in-the-wild.html
Tomi Engdahl says:
A French security researcher has discovered what appears to be a first fully weaponized exploit for the Spectre bug — a Linux binary that dumps the contents of /etc/shadow
FEATURED
TECHNOLOGY
First Fully Weaponized Spectre Exploit Discovered Online
https://therecord.media/first-fully-weaponized-spectre-exploit-discovered-online/
A fully weaponized exploit for the Spectre CPU vulnerability was uploaded on the malware-scanning website VirusTotal last month, marking the first time a working exploit capable of doing actual damage has entered the public domain.
The exploit was discovered by French security researcher Julien Voisin. It targets Spectre, a major vulnerability that was disclosed in January 2018.
Tomi Engdahl says:
https://thehackernews.com/2021/03/malware-can-exploit-new-flaw-in-intel.html
Malware Can Exploit New Flaw in Intel CPUs to Launch Side-Channel
Attacks. A new research has yielded yet another means to pilfer
sensitive data by exploiting what’s the first “on-chip, cross-core”
side-channel in Intel Coffee Lake and Skylake processors. Published by
a group of academics from the University of Illinois at
Urbana-Champaign, the findings are expected to be presented at the
USENIX Security Symposium coming this August.
Tomi Engdahl says:
New Side-Channel Attack Targets Intel CPU Ring Interconnect
https://www.securityweek.com/new-side-channel-attack-targets-intel-cpu-ring-interconnect
A team of researchers from the University of Illinois at Urbana-Champaign has published a paper detailing a new side-channel attack method that can be launched against devices with Intel CPUs.
Following the disclosure of the Meltdown and Spectre vulnerabilities back in January 2018, researchers have increasingly focused on finding CPU side-channel attack methods — and in many cases they have been successful.
The latest attack method can allow an attacker who has access to the targeted device to obtain potentially sensitive information. The attack, described by the researchers as “the first on-chip, cross-core side-channel attack,” is related to the ring interconnect, or ring bus, the component that enables communication between the various CPU units (e.g. cores, last level cache, system agent and GPU) on many Intel processors.
Tomi Engdahl says:
https://www.facebook.com/groups/majordomo/?ref=share
I’m really glad I’m no longer in web work.
“Post-Spectre, we need to adopt some new strategies for safe and secure web development. This document outlines a threat model we can share, and a set of mitigation recommendations.
TL;DR: Your data must not unexpectedly enter an attacker’s process”
Post-Spectre Web Development
Editor’s Draft, 10 March 2021
https://w3c.github.io/webappsec-post-spectre-webdev/
Post-Spectre, we need to adopt some new strategies for safe and secure web development. This document outlines a threat model we can share, and a set of mitigation recommendations.
TL;DR: Your data must not unexpectedly enter an attacker’s process.
Tomi Engdahl says:
A Spectre proof-of-concept for a Spectre-proof web
https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html
In this post, we will share the results of Google Security Team’s
research on the exploitability of Spectre against web users, and
present a fast, versatile proof-of-concept (PoC) written in JavaScript
which can leak information from the browser’s memory. We’ve confirmed
that this proof-of-concept, or its variants, function across a variety
of operating systems, processor architectures, and hardware
generations.. also: https://leaky.page/ Spectre javascript poc
Tomi Engdahl says:
Google engineer urges web devs to step up and secure their code in this data-spilling Spectre-haunted world • The Register
https://www.theregister.com/2021/03/08/post_spectre_programming/
Tomi Engdahl says:
Google Releases PoC Exploit for Browser-Based Spectre Attack
https://www.securityweek.com/google-releases-poc-exploit-browser-based-spectre-attack
Tomi Engdahl says:
Google engineer urges web devs to step up and secure their code in this data-spilling Spectre-haunted world
‘This is going to be a lot of work … a reasonable set of mitigation primitives exists today, ready and waiting for use’
https://www.theregister.com/2021/03/08/post_spectre_programming/
After the disclosure of the 2018 Spectre family of vulnerabilities in modern microprocessor chips, hardware vendor and operating system makers scrambled to reduce the impact of data-leaking side-channel attacks designed to exploit the way chips try to predict future instructions.
Intel and others rolled out firmware patches, Linux kernel maintainers added capabilities like STIBP (Single Thread Indirect Branch Predictors), and browser makers took steps like reducing the precision of timers.
Now web security professionals are asking developers to do their part by recognizing that Spectre broke the old threat model and by writing code that reflects the new one.
Tomi Engdahl says:
Spectre exploits in the “wild”
https://dustri.org/b/spectre-exploits-in-the-wild.html
Someone was silly enough to upload a working spectre (CVE-2017-5753) exploit for Linux (there is also a Windows one with symbols that I didn’t look at.) on VirusTotal last month, so here is my quick Sunday afternoon lazy analysis.
The binary has its -h option stripped, likely behind a #define to avoid detection, but some of its parameters are obvious, like specifying what file to leak, or the kernel base address. The authors didn’t check (or care) that the logging function hasn’t been entirely optimized out, leaving a bunch of strings helping in the reversing process.
Tomi Engdahl says:
Linux Kernel Vulnerabilities Can Be Exploited to Bypass Spectre Mitigations
https://www.securityweek.com/linux-kernel-vulnerabilities-can-be-exploited-bypass-spectre-mitigations
Recent Linux kernel updates include patches for a couple of vulnerabilities that could allow an attacker to bypass mitigations designed to protect devices against Spectre attacks.
The Spectre and Meltdown vulnerabilities were disclosed in January 2018, when researchers warned that billions of devices powered by CPUs from Intel, AMD and other vendors were affected. An attacker can exploit the flaws — in some cases remotely — to obtain potentially sensitive data, such as encryption keys and passwords.
Patches and mitigations have been made available by both hardware and operating system vendors, but many devices are likely still vulnerable to attacks because the patches and mitigations have not been applied. It seems that it’s also still possible to launch attacks due to the fact that some mitigations can be bypassed by attackers.
Symantec reported on Monday that Piotr Krysiuk, a member of its Threat Hunter team, has identified two new vulnerabilities in the Linux kernel that can be exploited to bypass mitigations for the Spectre vulnerabilities.
One of the flaws, tracked as CVE-2020-27170, can be leveraged to obtain data from a device’s entire memory, while the second, identified as CVE-2020-27171, can be used to obtain contents from a 4Gb range of kernel memory. Both issues are related to the extended Berkeley Packet Filter (eBPF) technology used by the Linux kernel.
BFP enables the execution of programs directly in the kernel, but not before these programs are analyzed to ensure they’re safe.This process should also provide protection against Spectre attacks, but the vulnerabilities discovered by the Symantec researcher can be exploited to bypass this protection, allowing a local attacker to obtain potentially sensitive data from the device’s memory.
Tomi Engdahl says:
Newly-Discovered Vulnerabilities Could Allow for Bypass of Spectre Mitigations in Linux
Bugs could allow a malicious user to access data belonging to other users.
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/spectre-bypass-linux-vulnerabilities
The vulnerabilities in question are:
CVE-2020-27170 – Can reveal contents from the entire memory of an affected computer
CVE-2020-27171 – Can reveal contents from 4 GB range of kernel memory
The patches for these bugs were first published on March 17, 2021, and are included with the Linux kernels released on March 20.
Both vulnerabilities are related to the Linux kernel support for “extended Berkeley Packet Filters” (BPF). BPF allows users to execute user-provided programs directly in the Linux kernel.
The most serious issue is CVE-2020-27170, which can be abused to reveal content from any location within the kernel memory, all of the machine’s RAM, in other words. Unprivileged BPF programs running on affected systems could bypass the Spectre mitigations and execute speculatively out-of-bounds loads with no restrictions. This could then be abused to reveal contents of the memory via side-channels.
The second reported issue, CVE-2020-27171, can reveal content from a 4 GB range of kernel memory around some of the structures that are protected. This issue is caused by a numeric error in the Spectre mitigations when protecting pointer arithmetic against out-of-bounds speculations.
Mitigation
The patches for these bugs were first published on March 17, 2021 and are included in the following Linux kernel releases:
Stable 5.11.8 (released March 20, 2021)
Longterm 5.10.25 (released March 20, 2021)
Longterm 5.4.107 (released March 20, 2021)
Longterm 4.19.182 (released March 20, 2021)
Longterm 4.14.227 (released March 24, 2021)
Tomi Engdahl says:
https://access.redhat.com/security/cve/cve-2020-27170 (CVSS 4.7)
https://nvd.nist.gov/vuln/detail/CVE-2020-27170
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.
https://access.redhat.com/security/cve/cve-2020-27171 (CVSS 6.0)
https://nvd.nist.gov/vuln/detail/CVE-2020-27171
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d
Tomi Engdahl says:
A couple of weeks later, Google released proof-of-concept (PoC) code for browser-based Spectre attacks.
https://www.securityweek.com/google-releases-poc-exploit-browser-based-spectre-attack
Tomi Engdahl says:
AMD admits that Zen 3 CPUs are vulnerable to a new Spectre-style attack
Again?
https://www.techspot.com/news/89173-amd-admits-zen-3-cpus-vulnerable-new-spectre.html
AMD has confirmed that a microarchitecture optimization inside Zen 3 CPUs can be exploited in a similar fashion to the Spectre vulnerabilities that plagued Intel CPUs a few generations ago. Disabling the optimization is possible, but will carry a performance penalty that AMD doesn’t believe is worth it for all but the most critical deployments of the processors.
Update (April 5): Even though AMD was confident enough in not recommending a majority of their customers to disable Predictive Store Forwarding (PSF) for security reasons, Phoronix ran dozens of tests during the weekend using a Ryzen 7 5800X especifically benchmarking for the Zen 3 PSF vulnerability. They conclude that “the geometric mean of all those results was less than a half percent performance loss when disabling this new Zen 3 feature,” or in other words, the performance impact is negligible.
Tomi Engdahl says:
[CVE-2020-12351] BadKarma: Heap-Based Type Confusion (BleedingTooth)
https://github.com/google/security/advisories/GHSA-h637-c88j-47wq
[CVE-2020-12352] Linux: Stack-Based Information Leak in A2MP (BleedingTooth)
https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq
Tomi Engdahl says:
https://www.techspot.com/news/89173-amd-admits-zen-3-cpus-vulnerable-new-spectre.html
Tomi Engdahl says:
https://www.mikrobitti.fi/uutiset/amdn-suorittimista-loytyi-vakava-haavoittuvuus/ab40186d-af20-45d0-b13a-f6691abb5fdb
AMD on kertonut, että sen uuteen Zen 3 -arkkitehtuuriin perustuvissa suorittimissa on haavoittuvuus, joka muistuttaa muutama vuosi sitten Intelin suorittimia riivanneita Spectre-haavoittuvuuksia. Techspotin mukaan haavoittuvuuden aiheuttaa suorittimissa käytetty mikroarkkitehtuurin optimointitoiminto.
Kaikkein haavoittuvimpia ovat sellaiset ohjelmat, joiden tietoturva perustuu sandbox-tekniikkaan.
Haavoittuvan psf-toiminnon voi kytkeä pois päältä, joskin tämä turvakeino heikentää suoritintehoa hieman. AMD:n mukaan toiminnon kytkeminen pois päältä ei ole suositeltavaa, sillä yhtiön tiedossa ei ole mitään koodia, joka olisi altis psf:n kautta tehdylle hyökkäykselle.
AMD admits that Zen 3 CPUs are vulnerable to a new Spectre-style attack
Again?
https://www.techspot.com/news/89173-amd-admits-zen-3-cpus-vulnerable-new-spectre.html
AMD has confirmed that a microarchitecture optimization inside Zen 3 CPUs can be exploited in a similar fashion to the Spectre vulnerabilities that plagued Intel CPUs a few generations ago. Disabling the optimization is possible, but will carry a performance penalty that AMD doesn’t believe is worth it for all but the most critical deployments of the processors.