Intel Processor Security Flaw Prompts Kernel Makeovers in Linux, Windows

A design flaw in Intel microprocessors has Linux and Microsoft Windows developers reworking their kernels to defend against exploitation of the security bug.

Details of the flaw have not yet been made public, and Intel and Microsoft have remained mum about the chip design flaw, which was first reported by The Register this week. The report said Microsoft is expected to issue updates for Windows in next week's Patch Tuesday batch, while Linux developers have been openly working on fixes online. According to the report, the OS updates ultimately could slow performance of the systems, in some cases by five- to 30%. Newer Intel processors aren't as susceptible to a performance impact, the report said.

Renowned security expert Dan Kaminsky says without the details of the flaw out yet, it doesn't make sense to theorize about its ramifications. "I think we shouldn't speculate until the bug is disclosed," Kaminsky says. "Clearly, the notable part of this is whatever it is can't be addressed in microcode."

Intel had not responded to press inquiries as of this posting, and Microsoft declined to comment.

The flaw - which reportedly affects processors in millions of computers - could allow applications, including JavaScript in a Web browser, to read protected areas of the kernel memory. 

The kernel is designed to separate "userland" from sensitive kernel areas "so that userland programs can't take over from the kernel itself and subvert security, for example by launching malware, stealing data, snooping on network traffic and messing with the hardware," wrote Sophos security analyst Paul Ducklin in a post today.

The new Linux patch will isolate the kernel memory from the user process via the so-called Kernel Page Table Isolation, KPTI. 

"This security fix is especially relevant for multi-user computers, such as servers running several virtual machines, where individual users or guest operating systems could use this trick to “reach out” to other parts of the system, such as the host operating system, or other guests on the same physical server," Ducklin explained.

The risk of attack on appliances or endpoints such as a laptop appears to be low, he said, because an attacker would have to run code on the targeted machine to exploit it.

"On shared computers such as as multiuser build servers or hosting services that run several different customers’ virtual machines on the same physical hardware, the risks are much greater: the host kernel is there to keep different users apart, not merely to keep different programs run by one user apart," Ducklin said. 

Intel has been under the security microscope several times in the past year, starting with its May 2017 disclosure of a critical privilege-escalation bug in its Active Management Technology (AMT) firmware used in many Intel chips that affected AMT firmware versions dating back to 2010. It's up to hardware OEMs to update their platforms with Intel's fix.

The AMT vulnerability, discovered by security vendor Embedi, gives attackers a way to access the AMT functionality without the need to authenticate to it first. The flaw allows an attacker to remotely delete or reinstall the operating system on a vulnerable system, or control the mouse and keyboard, for instance. 

Last fall, Intel patched a vulnerability in its microprocessors  that could be used by an attacker to burrow deep inside a machine and control processes and access data - even when a laptop, workstation, or server is powered down. Researchers from Positive Technologies first discovered the flaw, a stack buffer overflow bug in the Intel Management Engine (ME) 11 system that's found in most Intel chips shipped since 2015. ME, which contains its own operating system, is a system efficiency feature that runs during startup and while the computer is on or asleep, and handles much of the communications between the processor and external devices.

And now the Intel design flaw, the details of which remain a mystery. "This flaw has existed for years and has been documented about for months, at least, so there is no need to panic; nevertheless, we recommend that you keep your eyes out for patches for the operating systems you use, probably in the course of January 2018, and that you apply them as soon as you can," Sophos' Ducklin advised.

The flaw also reportedly affects cloud services such as Amazon EC2, Microsoft Azure, and Google Compute Engine. "Amazon just sent a notice about a major security update and EC2 is scheduled to reboot this Friday," said Chris Morales, head of security analytics at Vectra. "If the Azure and Amazon reboots are related to the Intel flaw, it would demonstrate how far reaching the impact is. A phrase like 'the cloud is rebooting' is not something that anyone has had to say before, and it reminds me of the kind of far reaching impact that Y2K was feared to have had."

Related Content: