Deja-wooo-oooh! Intel chips running Windows potentially vulnerable to scary Spectre variant
SWAPGS can be abused to siphon sensitive secrets from kernel memory, patches already available
Spectre – a family of data-leaking side-channel vulnerabilities arising from speculative execution that was disclosed last year and affects various vendors' chips – has a new sibling that bypasses previous mitigations.
Designated CVE-2019-1125 and rated moderate in terms of severity, the issue – limited primarily to Intel x86-64 systems running Windows – could allow a local attacker to work around protections like kernel address space isolation to read sensitive kernel memory. AMD's 64-bit x86 processors running Windows are also affected, though to a much lesser extent.
Note that Spectre vulnerabilities are not, to the best of our knowledge, being exploited in the wild by any software nasties, mainly because they are too much of a faff to abuse when there are easier and better bugs to abuse. As such, this latest discovery is primarily another fascinating look into the world of processor design and its shortcuts and blunders.
According to security biz BitDefender, whose researchers found the flaw, a hardware fix isn't viable and the issue has to be addressed at the operating system level. The outfit has dubbed the flaw "SWAPGS Attack," and illustrated its inner workings here.
As Red Hat explains in its write-up, SWAPGS refers to a system instruction that, as its name suggests, "swap[s] the current user space value of 'GS' (a memory segment register) with the value intended to be used during kernel operations." It's available only in 64-bit mode on x86 chips.
SWAPGS doesn't validate its value and therein lies the problem. "As a result," Red Hat says, "it is possible that these conditional branches in the Linux kernel entry code may mis-speculate into code that will not perform the SWAPGS, resulting in a window of speculative execution during which the wrong GS is used for dependent memory operations."
Such mis-speculation may then be revealed through side-channel timing analysis, resulting in the gradual disclosure of kernel memory.
The vulnerability affects Windows, including virtual machines running on it. Linux is theoretically vulnerable in that it contains a gadget (a specific construction of machine code) that could be used in a potential attack. However, BitDefender notes that the gadget lies within the Linux kernel's non-maskable interrupt (NMI) handler and would therefore be difficult, if not impossible, to attack. Apple hardware isn't believed to be affected.
Data-spewing Spectre chip flaws can't be killed by software alone, Google boffins concludeREAD MORE
Microsoft quietly patched its Windows operating system on July 9, and on Tuesday this week published an advisory to that effect. Its software revision limits how the CPU speculatively accesses memory.
"To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application," Microsoft said in its advisory. "The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further."
Red Hat – though it insists it isn't aware of any way to exploit this vulnerability on Linux kernel-based systems – has patched its Enterprise Linux versions 5-8, Atomic Host, Enterprise MRG 2, OpenShift Online v3, Red Hat Virtualization, Red Hat OpenStack Platform and Red Hat OpenShift Container Platform 4. The company insists its fix has only "a minimal performance impact" that doesn't show up in current benchmarks.
Neither AMD nor Intel plan to issue microcode updates because they believe the vulnerability can be adequately addressed in software.
Intel, in a statement provided to The Register, said Microsoft's patch resolved the problem, which applies to x86-64 chips since Ivy Bridge (2012). "Intel, along with industry partners, determined the issue was better addressed at the software level and connected the researchers to Microsoft," the chipmaker said. "It takes the ecosystem working together to collectively keep products and data more secure and this issue is being coordinated by Microsoft."
AMD is even less concerned.
"Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS," AMD said in a statement on its website. "For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1."
BitDefender's white paper describes two attack scenarios: when SWAPGS is not getting executed speculatively though it should, and when SWAPGS is getting speculatively executed but shouldn't.
Each of these has two variants: where the attacker tests if a value is located at a specific kernel address and where the attacker infers the value at a randomly selected kernel address. It's only this second variant of the second attack scenario that pertains to AMD. ®