Application Security

8/15/2018
06:30 PM
50%
50%

Intel Reveals New Spectre-Like Vulnerability

A new side-channel speculative execution vulnerability takes aim at a different part of the CPU architecture than similar vulnerabilities that came before it.

There's a new speculative execution side-channel vulnerability akin to Spectre and Meltdown, but this one is different in a crucial way: it's aimed at program data rather than program instructions.

The new vulnerability, described in CERT Vulnerability Note VU#982149, is similar to Spectre in that it leverages speculative execution — a process by which certain computer instructions are executed in case they're the next instructions called for by the software. This is a technique that speeds up code execution on just about all modern CPUs.

It differs from Spectre in that it's not working on the part of memory-holding instructions. Instead, the new vulnerability - called Foreshadow, or L1TF - targets the L1 data cache.

"Researchers simply followed the thread left by Spectre and Meltdown — this isn't a completely new class of vulnerabilities," says Matthew Chiodi, vice president of cloud security at RedLock.

Intel yesterday released a pair of security notifications on the vulnerability. The first focuses on the hardware details, and discusses the implications for operating system and VM developers. According to Intel, microcode has been developed and pushed live to help mitigate the effects of the vulnerability.

In its Intel Software Developer blog, Intel explores the impact on application developers and provides possible mitigations for programmers working on browsers, applications in VMs, etc.

Google Cloud Security published a blog post on the vulnerability, noting that, "Directly exploiting these vulnerabilities requires control of hardware resources that are accessible only with operating system level control of the underlying physical or virtual processors."

That's similar to other Spectre-like vulnerabilities and one of the key reasons most security professionals seem more curious than panic-stricken about this class of vulnerabilities.

Google also noted that the primary danger of Foreshadow is that a threat actor could use it to reach across virtual machine boundaries, gaining access to the information belonging to another virtual machine — and possibly, another organization.

"Systems that utilize software-defined storage via a mid-layer filesystem will likely experience the most impact. Many software-defined storage solutions, which use a mid-layer filesystem will likely have a much larger performance impact as a result of these fixes," says Jeff Ready, CEO of Scale Computing.

Ken Spinner, vice president of field engineering at Varonis, says this attack can glean sensitive data from the target. "The prize of an attack like this is sensitive data. If passwords or other credentials can be directly extracted and then exploited, it's obviously a win for attackers," he says.

The benefits of virtual machines in the cloud are based on the ability to maintain clear, clean boundaries between virtual servers, he says. "This entire class of processor attacks proves how hard that can be in practice. Securing virtual services can directly increase operational costs for cloud providers, leading to gaps in some cases," he says.

Keeping Calm

Few security professionals are panicked about this class of speculative-execution vulnerabilities due to the difficulty and complexity in developing the attacks, getting them implanted on a target machine, and sorting through slowly growing piles of data in the hopes of finding something interesting. "Why slip in through the second story window when the front door is unlocked?" Spinner says.

Nonetheless, Foreshadow is seen by most observers as yet another call to make sure an organization's update and patch policies are strong and ready for waves of remediating updates.

"How far this goes and how much damage it does depends greatly on whether people install the patch," says Michael Daly, CTO for Raytheon's cybersecurity and special missions. "Unfortunately, history tells us many will not. While this particular threat seems minor for now, since so few systems use SGX, that can change."

Related Content:

 

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Strategist
8/16/2018 | 2:02:01 PM
Really, was it already there and we just did not know about it
It is interesting how companys try to save face when someone from the outside identified this vulnerability or the Spectre vulnerability. It seems that my trust in Intel has diminished. I will provide examples:

1. This vulnerability existing since the late 90s - to now, this was discussed years ago and no one except the researchers from three-four prominent schools that disseminated this information to the public - https://meltdownattack.com/. Intel knew about this vulnerability and did nothing about it for years and only until the researchers from Google, Univ of MD, Univ, Graz Univ of Technology, Adelaide and others presented this information is only then Intel decided to move in the direction to provide microcode or patches to address the problem. When did accountability leave the room?

2. Did Intel present this information to the public or were they forced by the researchers (Project Zero concepts, they give you 30 days to fix the problem) after they found other bugs in their existing CPU (microcode)? Again, another question where their reputation is on the line, they only react as opposed to working together as a team to resolve impending issues.

3. If Edward Snowden did not present this information to the public, this vulnerability would have still been out there without the public knowing about it (Thank you Mr. Snowden where ever you are, he stated NSA was using the vulnerabilities found to create backdoors, was this the case or not, we will never know).

This is not the only company that has tried to coverup their shortcomings (Booz Allen, Northrup Grumman, Lockheed Martin, Suntrust, Cryptocurrenty, S3 buckets (Accenture). I mean the list goes on and on.

At what point do you say, enough is enough, because the only thing the individuals got from Equifax hack was a $50 gift certificate they could use on their own hacked infrastructure. That is almost saying that I am betting on you in a fight after you already got knocked out.

List of others, actually from this site:
  • The Biggest Cybersecurity Breaches of 2018 (So Far)
  • LA County Nonprofit Exposes 3.2M PII Files via Unsecured S3 Bucket
  • SunTrust Ex-Employee May Have Stolen Data on 1.5 Million Bank Clients
  • Sears & Delta Airlines Are Latest Victims of Third-Party Security Breach
  • Panera Bread Leaves Millions of Customer Records Exposed Online
  • Hudson's Bay Brands Hacked, 5 Million Credit Card Accounts Stolen
  • Under Armour App Breach Exposes 150 Million Records
  • Baltimore Hit with Hack on 911 System
  • Hack Costs Coincheck Cryptocurrency Exchange $530 Million

I think the security practices and ways of securing the environment is not working, we need to find another way, something that keeps the companies accountable (BlockChain in the supply chain space), employ IPv6 in everything we do and ride ourselves from IPv4 (Networking), encrypt the data at rest (Bitlocker disk encryption where it does not give the user a choice, especially if it is used to entrust user data, PGP Disk encryption works as well) and eventually look at other micro-processor manufacturers like Nvidia or IBM Power CPUs (especially when Intel did nothing after 20 years of knowing there was a problem).

Please give me some of your thoughts, anyone.

T
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/16/2018 | 9:07:57 AM
Interesting note for history
Much of the architecture of contemporary systems still hold their lines back to the original IBM-AT 286 processor and config.  It was such a solid standard that everything today is still flagged back to it and the original Gang of 7 who rebelled against IBM scrapping that in favor of PS/2 ( a disaster ).   So when we come to this high level processor issues - I sometimes wonder how LONG have these flaws actually been around?    Sometimes i long for the 8088 and DOS 6.22.  
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-2491
PUBLISHED: 2018-11-13
When opening a deep link URL in SAP Fiori Client with log level set to "Debug", the client application logs the URL to the log file. If this URL contains malicious JavaScript code it can eventually run inside the built-in log viewer of the application in case user opens the viewer and taps...
CVE-2018-2473
PUBLISHED: 2018-11-13
SAP BusinessObjects Business Intelligence Platform Server, versions 4.1 and 4.2, when using Web Intelligence Richclient 3 tiers mode gateway allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
CVE-2018-2476
PUBLISHED: 2018-11-13
Due to insufficient URL Validation in forums in SAP NetWeaver versions 7.30, 7.31, 7.40, an attacker can redirect users to a malicious site.
CVE-2018-2477
PUBLISHED: 2018-11-13
Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, 7.40 and 7.50 does not sufficiently validate an XML document accepted from an untrusted source.
CVE-2018-2478
PUBLISHED: 2018-11-13
An attacker can use specially crafted inputs to execute commands on the host of a TREX / BWA installation, SAP Basis, versions: 7.0 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40 and 7.50 to 7.53. Not all commands are possible, only those that can be executed by the <sid>adm user. The commands execut...