Pierluigi Paganini June 15, 2018

A new vulnerability involving side channel speculative execution on Intel chips, known as LazyFP, has been announced and assigned CVE-2018-3665.

A new vulnerability tracked as LazyFP (CVE-2018-3665) involving side channel speculative execution affects Intel CPUs, like previous ones it could be exploited by hackers to access sensitive information from the affected system.

The vulnerability was discovered by Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology and Zdenek Sojka from SYSGO AG.

The vulnerability resides in the floating point unit (FPU) that is used by the operating system when switching between processes. It is used to save the current context (state of the current process and registries) and restores the context of the new process.

“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value,” reads the advisory published by Intel.

There are two types of switching, Lazy FPU and Eager FPU, the former has better performance on older systems.

Security researchers discovered recently that if the Lazy method if vulnerable to attacks that could expose FPU state data, which can contain sensitive information such as cryptographic keys.

“The register state of the floating point unit (FPU), which consists of the AVX, MMX and SSE register sets, can be leaked across protection domain boundaries. This includes leaking across process- and virtual machine boundaries.” reads the analysis published by Thomas Prescher, Julian Stecklina, Jacek Galowicz

“The FPU state may contain sensitive information such as cryptographic keys.”

According to the expert, the CVE-2018-3665 vulnerability is similar to Meltdown  Variant 3a.

Intel confirms the CVE-2018-3665 vulnerability affects Core processors, but it claims the issue has been addressed by operating system and hypervisor software developers for many years, Intel urges vendors that still haven’t fixed the issue to do it as soon as possible by releasing necessary security updates.

Lazy FPU doesn’t affect systems using AMD or ARM processors, while Microsoft confirmed that “Lazy restore” is enabled by default in all versions of the operating system and cannot be disabled. Customers using the Azure platform are not affected by the problem.

Microsoft has yet to say exactly which versions of Windows are vulnerable, but the company noted that “Lazy restore” is enabled by default in all versions of the operating system and cannot be disabled. The tech giant assured customers that VMs running in Azure are not at risk.

“Is Lazy restore enabled by default and can it be disabled?

Lazy restore is enabled by default in Windows and cannot be disabled.” reads the FAQs published by Microsoft.

Recent versions of Linux kernel use Eager FPU this means that are not affected, while for older processors the flaw can be mitigated by enabling Eager FPU rebooting the kernel with the “eagerfpu=on” option.

AWS told its customers that its infrastructure is not affected.

Pierluigi Paganini

(Security Affairs – LazyFP , Intel)

[adrotate banner=”5″]

[adrotate banner=”13″]