Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

7/30/2018
09:50 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

New Spectre-Like Vulnerability Allows for Remote Data Theft

Researchers have found new Spectre-like vulnerability in x86 processors called NetSpectre, which allows attackers to steal data remotely.

A group of four researchers from Graz University of Technology have published a paper that describes a network-based CPU attack that mimics Spectre v1 (CVE-2017-5753). It does not require that any hosting code be present on a victim machine.

The researchers published the paper, "NetSpectre: Read Arbitrary Memory over Network," earlier this month but they did give Intel time to respond to their results.

Currently, only 15 bits an hour can be exfiltrated from a CPU cache. But the authors also managed to get four times that amount out -- 60 bits/hour -- by focusing on the AVX2 module which only Intel CPUs use.

CPUs that are vulnerable to Spectre v1 are thought to be affected by the NetSpectre attack as well. The researchers found ARM processors are also vulnerable to this technique, so the issue goes beyond Intel's chips.

(Source: iStock)
(Source: iStock)

The researchers also found the Google cloud to be vulnerable to the attack.

NetSpectre is an access-driven remote Evict+Reload cache attack. It does not use a cache covert channel as Spectre does.

The university team used a technique that they call value-thresholding, which leaks a secret value without the typical bit selection mechanisms. With it, an attacker only needs to send a series of crafted requests to the victim and measures the response time in order to leak a secret value from the victim's memory.

The researchers found that it is possible for an attacker to distinguish cache hits and misses on specific cache lines remotely, by measuring and averaging over a large number of measurements.

Additionally, the researchers found that weaker forms of local Spectre attacks, which are considered to be incapable of leaking actual data, end up as very powerful in remote Spectre attacks. These can enable remote address space layout randomization (ASLR) breaks without any code execution on the device.

ASLR is a widely used defense mechanism that randomizes virtually all addresses in the memory space.

An attacker with local code execution can bypass ASLR since ASLR mostly aims at defending against remote attacks but not local attacks. When the local code that is already present in a CPU is combined with the NetSpectre attack, implementing ASLR breakage is enhanced. This makes implementing the NetSpectre attack easier.

It was found that breaking ASLR could take up to two hours of flooding the device with requests.

The researchers suggested some initial mitigation strategies.

One uses distributed denial of service (DDoS) protection on the network, as thousands of multiple identical packets would be sent from the same source in the attack.


Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

However, the attacker can vary the speed at which bits are leaked by reducing the packets sent to a level below the threshold that the DDoS monitoring (or IDS monitoring) can detect.

Another way is to add artificial noise to the network latency. This would make an attacker perform more measurements to get leakage.

As the researchers note: "Both approaches may mitigate NetSpectre attacks in practice. However, as attackers can adapt and improve attacks, it is not safe to assume that noise levels and monitoring thresholds chosen now will still be valid in the near future."

As of the moment, however, this is a low-yield and not very productive attack. Still, like Rowhammer, improvements to how it is done will happen over time as attackers' interest is piqued. (See Throwhammer & Nethhammer Show How Chips Are Vulnerable to Bit Flips.)

Security experts are warning businesses to be aware that more of these attacks are being discovered.

"Although, in practice, the threat of this new evolution of the Spectre vulnerability being exploited is low, it is something to continue watching. Researchers continue to find flaws that could potentially lead to remote code execution in the future and security companies and practitioners need to continue to keep up-to-date with the latest research and mitigation techniques," Dan Hubbard, chief security architect at Lacework, which provides cloud security tools, wrote in an email to Security Now.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22382
PUBLISHED: 2021-06-22
Huawei LTE USB Dongle products have an improper permission assignment vulnerability. An attacker can locally access and log in to a PC to induce a user to install a specially crafted application. After successfully exploiting this vulnerability, the attacker can perform unauthenticated operations. A...
CVE-2021-22383
PUBLISHED: 2021-06-22
There is an out-of-bounds read vulnerability in eCNS280_TD V100R005C10 and eSE620X vESS V100R001C10SPC200, V100R001C20SPC200, V200R001C00SPC300. The vulnerability is due to a message-handling function that contains an out-of-bounds read vulnerability. An attacker can exploit this vulnerability by se...
CVE-2021-22342
PUBLISHED: 2021-06-22
There is an information leak vulnerability in Huawei products. A module does not deal with specific input sufficiently. High privilege attackers can exploit this vulnerability by performing some operations. This can lead to information leak. Affected product versions include: IPS Module versions V50...
CVE-2021-22363
PUBLISHED: 2021-06-22
There is a resource management error vulnerability in eCNS280_TD V100R005C10SPC650. An attacker needs to perform specific operations to exploit the vulnerability on the affected device. Due to improper resource management of the function, the vulnerability can be exploited to cause service abnormal ...
CVE-2021-22377
PUBLISHED: 2021-06-22
There is a command injection vulnerability in S12700 V200R019C00SPC500, S2700 V200R019C00SPC500, S5700 V200R019C00SPC500, S6700 V200R019C00SPC500 and S7700 V200R019C00SPC500. A module does not verify specific input sufficiently. Attackers can exploit this vulnerability by sending malicious parameter...