Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

New Speculative Execution Vulnerability Gives CISOs a New Reason to Lose Sleep

The vulnerability, dubbed SWAPGS, is an undetectable threat to data security, similar in some respects to Spectre and Meltdown.

Bogdan Botezatu, director of threat research at BitDefender, leans across the table in a hotel lobby coffee shop to make his point. "When you're a CISO, there is no single of vulnerability you're aware of that doesn't keep you awake at night." The new vulnerability his team of researchers found — the vulnerability they will reveal in a press conference this evening — is one that he says should definitely contribute to CISO insomnia.

The new vulnerability, dubbed SWAPGS by the BitDefender research team, is a speculative execution vulnerability that Botezatu says is similar in some respects to Spectre and Meltdown. "What we have done is to manipulate this instruction called SWAPGS in order to sample information from the realm of the operating system memory into the user space," he explains.

SWAPGS is an instruction that swaps the contents of a particular register with the contents of a specific memory location. The instruction is defined as a privileged instruction that should be available only to system software, such as a hypervisor. One of the things that makes the instruction dangerous when exploited is that it can provide rapid access to certain data structures used by the operating system kernel.

When the instruction is manipulated, Botezatu says, "This can lead to all sorts of trouble like leaking out information about passwords, encryption, keys, tokens, authentication, cookies, and other sensitive information that goes through the processor."

Like many of the other speculative execution exploits that have been found, SWAPGS doesn't allow the attacker to manipulate the data being stored in the memory location — it only allows for the contents of that memory location to be monitored. "You just poke the memory, and run a time-based attack. If it's something interesting, it's fine. If not, you have just lost 20 seconds and you need to go back to square one," Botezatu explains.

As with most of the other speculative execution attacks, Botezatu sees SWAPGS as something that could be a tool for patient nation-state actors, not finance-focused criminals. Criminal actors, he says, can simply launch repeated phishing attacks to get the information that might become available through SWAPGS.

Still, he points out, a speculative execution attack like SWAPGS is dangerous because it bypasses hardware-based protection and is undetectable by normal security packages. Furthermore, while BitDefender followed responsible disclosure and Microsoft has issued a Window patch for the vulnerability, Botezatu says, "We know that in enterprises, patch adoption is not something that happens overnight. That can take anywhere from one to 180 days, if you're lucky."

Related content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/10/2019 | 7:02:41 PM
Response from IBM X-Force Exchange

FreeBSD, when running on a 64bit system with a FreeBSD/amd64 kernel, could allow a local attacker to gain elevated privileges on the system. By causing a General Protection Fault while the kernel is returning from processing an interrupt or system call, a local attacker could cause the incorrect execution of swapgs CPU instruction. An attacker could exploit this vulnerability to execute arbitrary code on the system with kernel level privileges.

The SWAPGS Side-Channel Attack Against Windows
Researchers from Bitdefender have discovered a new side-channel attack they have named SWAPGS. While building on research from the previously discovered and widely publicized Spectre and Meltdown attacks, SWAPGS can reportedly bypass all known mitigations for them. SWAPGS is a variation on the Spectre Variant 1 vulnerability. The attack exploits the speculative execution of a specific instruction on Intel chips, combined with the use of the instruction by Windows operating systems inside a gadget. Exploitation requires an attacker being able to log on to a vulnerable system and could allow the attacker to obtain sensitive information from a system's memory which could include the likes of credentials and encryption keys or pointers and addresses that could potentially be used for privilege escalation attacks. The Intel CPU's affected are from the Ivy Bridge series on. Microsoft released an update to address the vulnerability (CVE-2019-1125) in its July bulletins and has issued further guidance which notes that a microcode update is not required to address the vulnerability

What I get from both findings is that the user has to login and then they have to verify if Speculative Execution is part of the "Ivy Bridge" processor. If it is, then that is where priviledge escalation could take place but there are a few things they must do first is identify if this is an "Ivy Bridge" processor.

  • Write-host "Check if Ivy Bridge Processor"
    Write-Host "-----------------------------"
    $type = (get-wmiobject -class Win32_processor).Name
    Write-Host ""
    Write-Host "Check Ivy Processor Status"
    Write-Host "--------------------------"
    $check = $type.substring(18,8).split("-")[1]
    $proc = $check.substring(0,2)
    $ivy = @("30","31","32","33","34","35","36","37")
    foreach ($i in $ivy) {
        if ($i -eq $proc) {
            Write-Host "Ivy Bridge Processor Identified: " $type
    } Write-Host "Ivy Bridge Processor not identified"

There is a much better way of checking for Ivy Bridge but this is good for right now, Speculative Processor check can be downloaded from the web to help with the identification, but this is a good start.

I am getting rusty in my Powershell programming, need to get back on it.

The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...