Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

New Intel Vulnerabilities Bring Fresh CPU Attack Dangers

Four newly discovered vulns from the speculative-execution family bring Meltdown-like threats to Intel's processors.

A new family of speculative execution side-channel vulnerabilities has been found in Intel CPUs and researchers and vendors are split over how severe the flaws are and how easy they are to exploit.

Even the name of the vuln family is a subject of disagreement among researchers, ranging from colorful to prosaic: ZombieLoad, Fallout, RIDL (Rogue In-Flight Data Load), YAM (Yet Another Meltdown), and Intel's name for the family of flaws, MDS (Microarchitectural Data Sampling). 

Researchers from security firms Cyberus, BitDefender, Qihoo360, and Oracle, along with academic researchers from TU Graz, Vrije Universiteit Amsterdam, the University of Michigan, the University of Adelaide, KU Leuven, Worcester Polytechnic Institute, and Saarland University, discovered the flaws and came up with the related exploits. All of the researchers were exploring the same conceptual issues - side-channel vulnerabilities - but found the new family in a different area of the CPU than where the previously identified side-channel vulns, Spectre and Meltdown, operate.

The researchers followed responsible disclosure practices and held on publicly releasing their work - some for as much as a year - while Intel developed firmware to remediate the issues.

Bogdan (Bob) Botezatu, director of threat research and reporting for Bitdefender, says the difference between these MDS vulnerabilities and those exploited by earlier speculative-execution flaws like Spectre and Meltdown, is the difference between a buffer and a cache.

"A buffer is an area of the CPU where operations are executed in transit," he explains, while a cache is memory where data or instructions are stored in anticipation of being called. This difference in the affected CPU area is why the phrase "data in transit" is being used with the new vulnerabilities: Data in a buffer is being being used in an operation while data in a cache is at rest and waiting to be called into use. 

While Spectre and Meltdown could look at data sitting in a special part of storage, this latest generation can grab data that's in the middle of a process.

As with all examples of this type of vulnerability, user programs are not supposed to be able to access this data except through very specific calls through the operating system, and then only to the buffers associated with their defined and assigned user space. Researchers have found, though, that carefully constructed calls can gain access to the data — and in doing so can side-step security layers put in place to protect users from one another.

"It's leaking all the data that user space should not have access to," says Botezatu. For example, in a multi-tenant environment - such as on servers at a cloud-hosting provider - it would be possible for software running as part of one user's space to gain access to data in another user's space, he says.

An Intel spokesperson confirmed the nature of the vulnerability but noted that exploiting MDS, like exploiting any Meltdown-category vulnerability, is quite complex and likely beyond the capability of most malware developers.

The software exploiting the vulnerability would have to be running on the same core as the targeted victim, execute in an adjacent thread, and then either exfiltrate large quantities of data hoping for a useful byte, the spokesperson said, or repeatedly load and flush the desired data.

Botezatu concurred that the attack would be difficult to pull off by the average hacker. "These kinds of attacks are not something that I would expect that your average ransomware operator would use to infect millions of people. This is mostly the kind of attack that a very, very determined threat actor with a pretty big target will use to gain information or to gain access," he says.

While most of the "use cases" for this type of exploit involve multi-tenancy environments in cloud or virtualized server data centers, MDS is subject to other exploit types. Chris Wysopal, CTO at Veracode, says it could also be exploited in browsers. "Another case is browsers running untrusted JavaScript. A malicious website could compromise private data on a system that renders a page with malicious JavaScript," Wysopal says.

Some vendors, including Microsoft, have suggested that disabling hyper- threaded execution on servers might be required for remediating the vulnerability, but Intel says this should not be the case since simply disabling hyper-threading doesn't provide protection.

Intel released a patch for MDS this week. Microsoft and Apple also have included microcode patches in recent Windows and MacOS, updates, and Linux patches also have been issued. Intel also fixed the flaw in new CPUs it released last month. 

One near certainty is that there will be a continuing stream of speculative execution side-channel vulnerabilities found now that academia has discovered the category of issues that exists as part of the CPU architecture.

"Expect to see more of this class of vulnerabilities. Meltdown and Spectre sparked a new area of research, and there are most likely more architectural flaws waiting to be discovered," says Jimmy Graham, senior director product management, vulnerability management at Qualys.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...