Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Intel Reveals New Spectre-Like Vulnerability

A new side-channel speculative execution vulnerability takes aim at a different part of the CPU architecture than similar vulnerabilities that came before it.

There's a new speculative execution side-channel vulnerability akin to Spectre and Meltdown, but this one is different in a crucial way: it's aimed at program data rather than program instructions.

The new vulnerability, described in CERT Vulnerability Note VU#982149, is similar to Spectre in that it leverages speculative execution — a process by which certain computer instructions are executed in case they're the next instructions called for by the software. This is a technique that speeds up code execution on just about all modern CPUs.

It differs from Spectre in that it's not working on the part of memory-holding instructions. Instead, the new vulnerability - called Foreshadow, or L1TF - targets the L1 data cache.

"Researchers simply followed the thread left by Spectre and Meltdown — this isn't a completely new class of vulnerabilities," says Matthew Chiodi, vice president of cloud security at RedLock.

Intel yesterday released a pair of security notifications on the vulnerability. The first focuses on the hardware details, and discusses the implications for operating system and VM developers. According to Intel, microcode has been developed and pushed live to help mitigate the effects of the vulnerability.

In its Intel Software Developer blog, Intel explores the impact on application developers and provides possible mitigations for programmers working on browsers, applications in VMs, etc.

Google Cloud Security published a blog post on the vulnerability, noting that, "Directly exploiting these vulnerabilities requires control of hardware resources that are accessible only with operating system level control of the underlying physical or virtual processors."

That's similar to other Spectre-like vulnerabilities and one of the key reasons most security professionals seem more curious than panic-stricken about this class of vulnerabilities.

Google also noted that the primary danger of Foreshadow is that a threat actor could use it to reach across virtual machine boundaries, gaining access to the information belonging to another virtual machine — and possibly, another organization.

"Systems that utilize software-defined storage via a mid-layer filesystem will likely experience the most impact. Many software-defined storage solutions, which use a mid-layer filesystem will likely have a much larger performance impact as a result of these fixes," says Jeff Ready, CEO of Scale Computing.

Ken Spinner, vice president of field engineering at Varonis, says this attack can glean sensitive data from the target. "The prize of an attack like this is sensitive data. If passwords or other credentials can be directly extracted and then exploited, it's obviously a win for attackers," he says.

The benefits of virtual machines in the cloud are based on the ability to maintain clear, clean boundaries between virtual servers, he says. "This entire class of processor attacks proves how hard that can be in practice. Securing virtual services can directly increase operational costs for cloud providers, leading to gaps in some cases," he says.

Keeping Calm

Few security professionals are panicked about this class of speculative-execution vulnerabilities due to the difficulty and complexity in developing the attacks, getting them implanted on a target machine, and sorting through slowly growing piles of data in the hopes of finding something interesting. "Why slip in through the second story window when the front door is unlocked?" Spinner says.

Nonetheless, Foreshadow is seen by most observers as yet another call to make sure an organization's update and patch policies are strong and ready for waves of remediating updates.

"How far this goes and how much damage it does depends greatly on whether people install the patch," says Michael Daly, CTO for Raytheon's cybersecurity and special missions. "Unfortunately, history tells us many will not. While this particular threat seems minor for now, since so few systems use SGX, that can change."

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Strategist
8/16/2018 | 2:02:01 PM
Really, was it already there and we just did not know about it
It is interesting how companys try to save face when someone from the outside identified this vulnerability or the Spectre vulnerability. It seems that my trust in Intel has diminished. I will provide examples:

1. This vulnerability existing since the late 90s - to now, this was discussed years ago and no one except the researchers from three-four prominent schools that disseminated this information to the public - https://meltdownattack.com/. Intel knew about this vulnerability and did nothing about it for years and only until the researchers from Google, Univ of MD, Univ, Graz Univ of Technology, Adelaide and others presented this information is only then Intel decided to move in the direction to provide microcode or patches to address the problem. When did accountability leave the room?

2. Did Intel present this information to the public or were they forced by the researchers (Project Zero concepts, they give you 30 days to fix the problem) after they found other bugs in their existing CPU (microcode)? Again, another question where their reputation is on the line, they only react as opposed to working together as a team to resolve impending issues.

3. If Edward Snowden did not present this information to the public, this vulnerability would have still been out there without the public knowing about it (Thank you Mr. Snowden where ever you are, he stated NSA was using the vulnerabilities found to create backdoors, was this the case or not, we will never know).

This is not the only company that has tried to coverup their shortcomings (Booz Allen, Northrup Grumman, Lockheed Martin, Suntrust, Cryptocurrenty, S3 buckets (Accenture). I mean the list goes on and on.

At what point do you say, enough is enough, because the only thing the individuals got from Equifax hack was a $50 gift certificate they could use on their own hacked infrastructure. That is almost saying that I am betting on you in a fight after you already got knocked out.

List of others, actually from this site:
  • The Biggest Cybersecurity Breaches of 2018 (So Far)
  • LA County Nonprofit Exposes 3.2M PII Files via Unsecured S3 Bucket
  • SunTrust Ex-Employee May Have Stolen Data on 1.5 Million Bank Clients
  • Sears & Delta Airlines Are Latest Victims of Third-Party Security Breach
  • Panera Bread Leaves Millions of Customer Records Exposed Online
  • Hudson's Bay Brands Hacked, 5 Million Credit Card Accounts Stolen
  • Under Armour App Breach Exposes 150 Million Records
  • Baltimore Hit with Hack on 911 System
  • Hack Costs Coincheck Cryptocurrency Exchange $530 Million

I think the security practices and ways of securing the environment is not working, we need to find another way, something that keeps the companies accountable (BlockChain in the supply chain space), employ IPv6 in everything we do and ride ourselves from IPv4 (Networking), encrypt the data at rest (Bitlocker disk encryption where it does not give the user a choice, especially if it is used to entrust user data, PGP Disk encryption works as well) and eventually look at other micro-processor manufacturers like Nvidia or IBM Power CPUs (especially when Intel did nothing after 20 years of knowing there was a problem).

Please give me some of your thoughts, anyone.

T
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/16/2018 | 9:07:57 AM
Interesting note for history
Much of the architecture of contemporary systems still hold their lines back to the original IBM-AT 286 processor and config.  It was such a solid standard that everything today is still flagged back to it and the original Gang of 7 who rebelled against IBM scrapping that in favor of PS/2 ( a disaster ).   So when we come to this high level processor issues - I sometimes wonder how LONG have these flaws actually been around?    Sometimes i long for the 8088 and DOS 6.22.  
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I told you we should worry abit more about vendor lock-in.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .