Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

New Speculative Execution Vulnerability Gives CISOs a New Reason to Lose Sleep
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/10/2019 | 7:02:41 PM
Response from IBM X-Force Exchange

FreeBSD, when running on a 64bit system with a FreeBSD/amd64 kernel, could allow a local attacker to gain elevated privileges on the system. By causing a General Protection Fault while the kernel is returning from processing an interrupt or system call, a local attacker could cause the incorrect execution of swapgs CPU instruction. An attacker could exploit this vulnerability to execute arbitrary code on the system with kernel level privileges.

The SWAPGS Side-Channel Attack Against Windows
Researchers from Bitdefender have discovered a new side-channel attack they have named SWAPGS. While building on research from the previously discovered and widely publicized Spectre and Meltdown attacks, SWAPGS can reportedly bypass all known mitigations for them. SWAPGS is a variation on the Spectre Variant 1 vulnerability. The attack exploits the speculative execution of a specific instruction on Intel chips, combined with the use of the instruction by Windows operating systems inside a gadget. Exploitation requires an attacker being able to log on to a vulnerable system and could allow the attacker to obtain sensitive information from a system's memory which could include the likes of credentials and encryption keys or pointers and addresses that could potentially be used for privilege escalation attacks. The Intel CPU's affected are from the Ivy Bridge series on. Microsoft released an update to address the vulnerability (CVE-2019-1125) in its July bulletins and has issued further guidance which notes that a microcode update is not required to address the vulnerability

What I get from both findings is that the user has to login and then they have to verify if Speculative Execution is part of the "Ivy Bridge" processor. If it is, then that is where priviledge escalation could take place but there are a few things they must do first is identify if this is an "Ivy Bridge" processor.

  • Write-host "Check if Ivy Bridge Processor"
    Write-Host "-----------------------------"
    $type = (get-wmiobject -class Win32_processor).Name
    Write-Host ""
    Write-Host "Check Ivy Processor Status"
    Write-Host "--------------------------"
    $check = $type.substring(18,8).split("-")[1]
    $proc = $check.substring(0,2)
    $ivy = @("30","31","32","33","34","35","36","37")
    foreach ($i in $ivy) {
        if ($i -eq $proc) {
            Write-Host "Ivy Bridge Processor Identified: " $type
    } Write-Host "Ivy Bridge Processor not identified"

There is a much better way of checking for Ivy Bridge but this is good for right now, Speculative Processor check can be downloaded from the web to help with the identification, but this is a good start.

I am getting rusty in my Powershell programming, need to get back on it.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.