Hacking

SWAPGS Attack – A new Spectre-V1 attack affects modern chips

Experts discovered a new variant of the Spectre vulnerability (SWAPGS Attack) that affects modern Intel CPUs which leverage speculative-execution, and also some AMD processors.

Experts discovered a new Spectre speculative execution flaw (SWAPGS attack), tracked as CVE-2019-1125, that affects all Modern Intel CPUs and some AMD processors.

The flaw could be exploited by unprivileged local attackers to access sensitive information stored in the operating system privileged kernel memory (i.e. passwords, tokens, and encryption keys).

Speculative execution is a core component of modern microprocessor designed to improve performance, unfortunately, they could lead to information disclosure.

Microsoft July Patch Tuesday security updates addressed a new speculative execution vulnerability, tracked as CVE-2019-1125, that was reported by experts at Bitdefender.

“An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries.” reads the advisory published by Microsoft.

“To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further.”

This vulnerability, released on August 6, 2019, is a variant of the Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.”

Red Hat also published a security update related to the additional Spectre-V1 like attack vector (SWAPGS attack) requiring updates to the Linux kernel.

The flaw could allow an unprivileged local attacker to exploit these flaws to bypass conventional memory security restrictions to gain read access to privileged memory.

The attack relies on speculatively executing unexpected SWAPGS instructions after a branch gets mispredicted.

The “SWAPGS” instruction allows to implement the mechanism to transition from userspace to kernel space, it determines a convention to find kernel data such as kernel stack data.

“The SWAPGS instruction is a primitive instruction and does not validate the correctness of the values it uses. There are cases where the system may enter kernel code but may not require the swap or may re-enter kernel mode when already running in kernel mode.” states the advisory.

“Due to these cases, there are checks within the kernel entry code where conditional branches test to determine if the swap is necessary. As a result, it is possible that these conditional branches in the Linux kernel entry code may mis-speculate into code that will not perform the SWAPGS, resulting in a window of speculative execution during which the wrong GS is used for dependent memory operations. A typical Spectre-style side-channel analysis may be performed on the timing results by a suitably skilled attacker.”

The SWAPGS Attack allows bypassing all known Spectre and Meltdown mitigations, the good news is that the attack could not be launched remotely making WannaCry-like infections impossible.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SWAPGS attack, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

11 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

18 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.