Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Intel Reveals New Spectre-Like Vulnerability

A new side-channel speculative execution vulnerability takes aim at a different part of the CPU architecture than similar vulnerabilities that came before it.

There's a new speculative execution side-channel vulnerability akin to Spectre and Meltdown, but this one is different in a crucial way: it's aimed at program data rather than program instructions.

The new vulnerability, described in CERT Vulnerability Note VU#982149, is similar to Spectre in that it leverages speculative execution — a process by which certain computer instructions are executed in case they're the next instructions called for by the software. This is a technique that speeds up code execution on just about all modern CPUs.

It differs from Spectre in that it's not working on the part of memory-holding instructions. Instead, the new vulnerability - called Foreshadow, or L1TF - targets the L1 data cache.

"Researchers simply followed the thread left by Spectre and Meltdown — this isn't a completely new class of vulnerabilities," says Matthew Chiodi, vice president of cloud security at RedLock.

Intel yesterday released a pair of security notifications on the vulnerability. The first focuses on the hardware details, and discusses the implications for operating system and VM developers. According to Intel, microcode has been developed and pushed live to help mitigate the effects of the vulnerability.

In its Intel Software Developer blog, Intel explores the impact on application developers and provides possible mitigations for programmers working on browsers, applications in VMs, etc.

Google Cloud Security published a blog post on the vulnerability, noting that, "Directly exploiting these vulnerabilities requires control of hardware resources that are accessible only with operating system level control of the underlying physical or virtual processors."

That's similar to other Spectre-like vulnerabilities and one of the key reasons most security professionals seem more curious than panic-stricken about this class of vulnerabilities.

Google also noted that the primary danger of Foreshadow is that a threat actor could use it to reach across virtual machine boundaries, gaining access to the information belonging to another virtual machine — and possibly, another organization.

"Systems that utilize software-defined storage via a mid-layer filesystem will likely experience the most impact. Many software-defined storage solutions, which use a mid-layer filesystem will likely have a much larger performance impact as a result of these fixes," says Jeff Ready, CEO of Scale Computing.

Ken Spinner, vice president of field engineering at Varonis, says this attack can glean sensitive data from the target. "The prize of an attack like this is sensitive data. If passwords or other credentials can be directly extracted and then exploited, it's obviously a win for attackers," he says.

The benefits of virtual machines in the cloud are based on the ability to maintain clear, clean boundaries between virtual servers, he says. "This entire class of processor attacks proves how hard that can be in practice. Securing virtual services can directly increase operational costs for cloud providers, leading to gaps in some cases," he says.

Keeping Calm

Few security professionals are panicked about this class of speculative-execution vulnerabilities due to the difficulty and complexity in developing the attacks, getting them implanted on a target machine, and sorting through slowly growing piles of data in the hopes of finding something interesting. "Why slip in through the second story window when the front door is unlocked?" Spinner says.

Nonetheless, Foreshadow is seen by most observers as yet another call to make sure an organization's update and patch policies are strong and ready for waves of remediating updates.

"How far this goes and how much damage it does depends greatly on whether people install the patch," says Michael Daly, CTO for Raytheon's cybersecurity and special missions. "Unfortunately, history tells us many will not. While this particular threat seems minor for now, since so few systems use SGX, that can change."

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/16/2018 | 2:02:01 PM
Really, was it already there and we just did not know about it
It is interesting how companys try to save face when someone from the outside identified this vulnerability or the Spectre vulnerability. It seems that my trust in Intel has diminished. I will provide examples:

1. This vulnerability existing since the late 90s - to now, this was discussed years ago and no one except the researchers from three-four prominent schools that disseminated this information to the public - https://meltdownattack.com/. Intel knew about this vulnerability and did nothing about it for years and only until the researchers from Google, Univ of MD, Univ, Graz Univ of Technology, Adelaide and others presented this information is only then Intel decided to move in the direction to provide microcode or patches to address the problem. When did accountability leave the room?

2. Did Intel present this information to the public or were they forced by the researchers (Project Zero concepts, they give you 30 days to fix the problem) after they found other bugs in their existing CPU (microcode)? Again, another question where their reputation is on the line, they only react as opposed to working together as a team to resolve impending issues.

3. If Edward Snowden did not present this information to the public, this vulnerability would have still been out there without the public knowing about it (Thank you Mr. Snowden where ever you are, he stated NSA was using the vulnerabilities found to create backdoors, was this the case or not, we will never know).

This is not the only company that has tried to coverup their shortcomings (Booz Allen, Northrup Grumman, Lockheed Martin, Suntrust, Cryptocurrenty, S3 buckets (Accenture). I mean the list goes on and on.

At what point do you say, enough is enough, because the only thing the individuals got from Equifax hack was a $50 gift certificate they could use on their own hacked infrastructure. That is almost saying that I am betting on you in a fight after you already got knocked out.

List of others, actually from this site:
  • The Biggest Cybersecurity Breaches of 2018 (So Far)
  • LA County Nonprofit Exposes 3.2M PII Files via Unsecured S3 Bucket
  • SunTrust Ex-Employee May Have Stolen Data on 1.5 Million Bank Clients
  • Sears & Delta Airlines Are Latest Victims of Third-Party Security Breach
  • Panera Bread Leaves Millions of Customer Records Exposed Online
  • Hudson's Bay Brands Hacked, 5 Million Credit Card Accounts Stolen
  • Under Armour App Breach Exposes 150 Million Records
  • Baltimore Hit with Hack on 911 System
  • Hack Costs Coincheck Cryptocurrency Exchange $530 Million

I think the security practices and ways of securing the environment is not working, we need to find another way, something that keeps the companies accountable (BlockChain in the supply chain space), employ IPv6 in everything we do and ride ourselves from IPv4 (Networking), encrypt the data at rest (Bitlocker disk encryption where it does not give the user a choice, especially if it is used to entrust user data, PGP Disk encryption works as well) and eventually look at other micro-processor manufacturers like Nvidia or IBM Power CPUs (especially when Intel did nothing after 20 years of knowing there was a problem).

Please give me some of your thoughts, anyone.

T
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/16/2018 | 9:07:57 AM
Interesting note for history
Much of the architecture of contemporary systems still hold their lines back to the original IBM-AT 286 processor and config.  It was such a solid standard that everything today is still flagged back to it and the original Gang of 7 who rebelled against IBM scrapping that in favor of PS/2 ( a disaster ).   So when we come to this high level processor issues - I sometimes wonder how LONG have these flaws actually been around?    Sometimes i long for the 8088 and DOS 6.22.  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...