New Spectre-like flaw found in CPUs using speculative execution

A new flaw that can allow an attacker to obtain access to sensitive information on affected systems has been discovered in modern CPUs.

CVE-2018-3639, discovered by independently by Google Project Zero and Microsoft Security Response Center researchers and dubbed “Variant 4,” is a Speculative Store Bypass (SSB) vulnerability, and is considered to be a new variant of the previously revealed Spectre Variant 1 vulnerability.

“Variant 4 is a vulnerability that exploits ‘speculative bypass.’ When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side-channel vulnerability could allow less privileged code to read arbitrary privileged data; and run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side-channel methods,” US-CERT explained.

Mitigation

Leslie Culbertson, executive VP and general manager of Product Assurance and Security at Intel Corporation, pointed out that researchers demonstrated Variant 4 in a language-based runtime environment.

“While we are not aware of a successful browser exploit, the most common use of runtimes, like JavaScript, is in web browsers,” she explained, and added that most leading browser providers deployed mitigations for Variant 1 in their managed runtimes and that these mitigations substantially increase the difficulty of exploiting side channels in a web browser.

“These mitigations are also applicable to Variant 4 and available for consumers to use today,” she said, but added that Intel will offer the option for full mitigation that will come in the form of a combination of microcode and software updates.

“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks. This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option,” she shared, and confirmed that if the mitigation is enabled, the vulnerable CPUs will experience a performance impact of approximately 2 to 8 percent.

“This same update also includes microcode that addresses Variant 3a (Rogue System Register Read), which was previously documented publicly by Arm in January. We have not observed any meaningful performance impact on client or server benchmarks with the Variant 3a mitigation. We’ve bundled these two microcode updates together to streamline the process for our industry partners and customers,” she concluded.

(Variant 3a, the Rogue System Register Read, was discovered by SYSGO AG and has been filed as CVE-2018-3640. It may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information.)

More details about the affected Intel processors and offered mitigations can be found here.

AMD and Arm have also released similar information.

Microsoft has explained that they have yet to find any exploitable code patterns of this vulnerability class in their software or cloud service infrastructure, but if they do, they will address it with a security update. In the meantime, they will add support for Speculative Store Bypass Disable (SSBD) for Microsoft Windows and Azure.

Red Hat has said they will release microcode updates as they become available. More information is also provided here.

Organizations must make a choice

Joseph Carson, Chief Security Scientist at Thycotic, commented the revelation by saying it should not come as a surprise, as once a major vulnerability is found the world’s cybersecurity researchers will zoom in to find other possible variations.

“This particular variant exploits the speculative Store Bypass attack commonly used in ‘Language-based runtime environments’ used in web browsers (e.g., JavaScript). Currently there is no permanent solution for these flaws (a nice way to avoid saying major security vulnerability) and everything we have seen so far is [an offer to] turn [capabilities] off and accept reduced performance,” he noted.

“It is a bit like a car manufacturer telling you to ‘remember that car we sold you? Well the locks don’t really work so to keep it from being stolen you can no longer drive it at 70mph but now it is limited to 50mph. Sorry you can’t have fast performance and security at the same time so you must choose only one.’ Organisations must again decide what is the greater risk: system downtime and business performance impact or the risk of a cyberattack that exposes sensitive data or full access to the corporate network.”