SWAPGS Attack – A new Spectre-V1 attack affects modern chips

Experts discovered a new variant of the Spectre vulnerability (SWAPGS Attack) that affects modern Intel CPUs which leverage speculative-execution, and also some AMD processors.

Experts discovered a new Spectre speculative execution flaw (SWAPGS attack), tracked as CVE-2019-1125, that affects all Modern Intel CPUs and some AMD processors.

The flaw could be exploited by unprivileged local attackers to access sensitive information stored in the operating system privileged kernel memory (i.e. passwords, tokens, and encryption keys).

Speculative execution is a core component of modern microprocessor designed to improve performance, unfortunately, they could lead to information disclosure.

Microsoft July Patch Tuesday security updates addressed a new speculative execution vulnerability, tracked as CVE-2019-1125, that was reported by experts at Bitdefender.

“An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries.” reads the advisory published by Microsoft.

“To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further.”

“This vulnerability, released on August 6, 2019, is a variant of the Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.”

Red Hat also published a security update related to the additional Spectre-V1 like attack vector (SWAPGS attack) requiring updates to the Linux kernel.

The flaw could allow an unprivileged local attacker to exploit these flaws to bypass conventional memory security restrictions to gain read access to privileged memory.

The attack relies on speculatively executing unexpected SWAPGS instructions after a branch gets mispredicted.

The “SWAPGS” instruction allows to implement the mechanism to transition from userspace to kernel space, it determines a convention to find kernel data such as kernel stack data.

“The SWAPGS instruction is a primitive instruction and does not validate the correctness of the values it uses. There are cases where the system may enter kernel code but may not require the swap or may re-enter kernel mode when already running in kernel mode.” states the advisory.

“Due to these cases, there are checks within the kernel entry code where conditional branches test to determine if the swap is necessary. As a result, it is possible that these conditional branches in the Linux kernel entry code may mis-speculate into code that will not perform the SWAPGS, resulting in a window of speculative execution during which the wrong GS is used for dependent memory operations. A typical Spectre-style side-channel analysis may be performed on the timing results by a suitably skilled attacker.”

The SWAPGS Attack allows bypassing all known Spectre and Meltdown mitigations, the good news is that the attack could not be launched remotely making WannaCry-like infections impossible.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SWAPGS attack, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]