Pierluigi Paganini May 22, 2018

Yesterday AMD, ARM, IBM, Intel, Microsoft and other major tech firms released updates, mitigations and published security advisories for two new variants of Meltdown and Spectre attacks.

Spectre and Meltdown made the headlines again, a few days after the disclosure of a new attack technique that allowed a group of researchers to recover data from the  System Management Mode (SMM) memory, IT giants release security updates and mitigations for two new variants of the speculative execution attack methods.

Let’s make a recap of the of the two flaws:

The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Meltdown attacks trigger the CVE-2017-5754 vulnerability, while Spectre attacks the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). According to the experts, only Meltdown and Spectre Variant 1 can be addressed via software, while Spectre Variant 2 required an update of the microcode for the affected processors. Software mitigations include.

In February white hat hackers at Google Project Zero and Microsoft discovered a new attack dubbed Variant 4 (CVE-2018-3639).

In May, a German website revealed that Intel along other vendors had been working on security updates for a new set of 8 of Spectre vulnerabilities, so-called “Spectre-NG.”

The new eight Spectre-NG vulnerabilities in Intel CPUs also affect some ARM processors, at the time of writing the researchers only disclosed to the German computer magazine Heise the partial details of the vulnerabilities, while experts speculated that they were very dangerous because easier to exploit.

Yesterday AMD, ARM, IBM, Intel, Microsoft and other major tech firms released updates, mitigations and published security advisories for two new variants of Meltdown and Spectre attacks. Both CERT/CC and US-CERT also published security advisories to warn of the new side-channel attacks.

Intel has already developed microcode that addresses both Variant 3a and Variant 4 and also distributed Beta versions to OEMs and operating system vendors. The tech giant plans to provide BIOS and software updates to its customers next weeks.

“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.” reads the advisory published by Intel. “This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option.  In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark® 2014 SE and SPEC integer rate on client¹ and server² test systems.”

The bad news is that the security updates can cause a degradation of the performance.

AMD declared that Variant 3a does not affect its chips, while patches for Variant 4 should be expected from Microsoft and Linux distributions.

Microsoft is still assessing its products, but it declared that they are not affected by Variant 4.

“However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.” states the security advisory published by Microsoft.

“At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate. Microsoft will implement the following strategy to mitigate Speculative Store Bypass.”

As for Variant 3a, says explained that the only way to mitigate the issue it through a microcode/firmware update and not an operating system update.

IBM has released both security patches for both firmware and OS to address the Variant 4 in the Power Systems series.

“In May 2018, a fourth variant was identified, CVE-2018-3639. This variant is another instantiation of a side-channel information disclosure attack.” reads the advisory published by IBM.

“Mitigation of these vulnerabilities for Power Systems clients involves installing patches to both system firmware and operating systems. Both the firmware and OS patches are required for the mitigation to be effective against these vulnerabilities and the latest firmware and OS patches incorporate mitigations for the fourth variant.”

Other tech giants published security advisories for the new variants of Spectre and Meltdown attacks, including Cisco, Oracle, Red Hat, Suse, Ubuntu, and VMware.

Pierluigi Paganini

(Security Affairs – Intel, Spectre and Meltdown)

[adrotate banner=”5″]

[adrotate banner=”13″]