SWAPGS Attack: A new Spectre haunts machines with Intel CPUs

Bitdefender researchers have uncovered yet another viable speculative execution side-channel attack that can be leveraged against Intel CPUs and the computers running on them.

The SWAPGS Attack, as they call it, circumvents the protective measures that have been put in-place in response to earlier attacks such as Spectre and Meltdown. Still, there is plenty of good news: Microsoft has already released Windows patches for the flaw that makes the attack possible and, even though feasible, the researchers don’t expect the attack to be exploited for widespread, non-targeted attacks.

“A successful attack requires a vulnerable Intel CPU, an unpatched operating system and several hours of continuous probing,” Bogdan Botezatu, Director of Threat Research at Bitdefender, told Help Net Security.

“This attack was not trivial to discover or execute, so, in the absence of a proof of code, I would rate is as difficult to implement for the average cyber-criminal. It might, however, be more than appealing to high profile threat actors, given the fact that exploitation leaves no traces on the system.”

The attack

As Spectre, Meltdown, MDS and other similar attacks before it, the SWAPGS attack takes advantage of speculative execution, a functionality that seeks to speed-up the CPU by having it make educated guesses as to which instructions might come next.

Unfortunately, the discarded instructions produce microarchitectural changes that can leave traces in the system’s caches. Those can be observed by attackers and provide them with helpful information such as passwords, encryption keys, tokens, access credentials, or pointers or addresses that would allow them to perform privilege escalation.

The new attack takes advantage of SWAPGS, a system instruction that is used by the operating system to switch between two Model Specific Registers. The researchers discovered a way to manipulate this instruction to leak out information that should be available to the operating system only. (The SWAPGS attack is, in effect, a variant of the Spectre V1 attack.)

The whitepaper Bitdefender released has much more technical information about it, but what’s important for you to know now is this:

  • It affects all Intel CPUs that support speculative execution of the SWAPGS instruction, so basically anything from Intel Ivy Bridge (introduced 2012) until latest processors series available on the market
  • Both home users and enterprise users are impacted by this vulnerability (CVE-2019-1125): desktops, laptops, servers, etc. running an Intel Ivy Bridge or newer CPU are vulnerable
  • This type of flaw can generally be mitigated via hardware fixes (directly on silicon), microcode (firmware) updates (provided by the CPU manufacturer) or software patches.

Should you worry?

“The initial discovery of the vulnerability took great effort as it requires intimate knowledge of the operating system and CPU internals. However, exploiting this vulnerability is easy once the attacker has the proof of concept code and tests it on an unpatched system,” the researchers explained.

“Now, the information exfiltrated is unpredictable – we can extract a lot of junk and only very little relevant information, but if the attackers have a lot of time to gather information, they will eventually stumble upon what they are looking for. This is not a type of attack that we expect to be commercially weaponized in order to plant malware on the users’ computers, but it can serve a highly motivated threat actor as an information gathering tool because exploiting this vulnerability leaves no traces on the system.”

Bitdefender has worked with Intel for more than a year on public disclosure of this attack. The former says it is possible that an attacker with knowledge of the vulnerability could have exploited it to steal confidential information, but that, based on their telemetry, there are no attacks reported yet.

Available fixes and mitigations

“The best fix for that would be to completely remove the CPU and replace it with a redesigned one that is not vulnerable to this type of manipulation,” Bitdefender noted.

Since that is not yet an option and Intel has said they won’t be pushing out microcode updates to fix it on existing CPUs, a software solution (i.e., OS patches) is what’s left. Users and administrators should, therefore, implement Microsoft’s July security updates.

“The focus of our research was Microsoft Windows, as it was a low hanging fruit in terms of demonstrating the exploit. A quick analysis of the Linux kernel revealed that although it contains a gadget which may be used in an attack, it lies inside the Non- Maskable Interrupt (NMI) handler. We therefore believe that Linux would be difficult (if not impossible) to attack,” the researchers noted.

“A quick analysis of the Hyper-V kernel and of the Xen hypervisor kernel revealed that the SWAPGS instruction is not used, so exploitation is impossible. Other operating systems and hypervisors have not been investigated, although Microsoft, during the coordination of the disclosure, notified all the interested partied about this vulnerability.”

Also, since the SWAPGS instruction is present only on x86-64, they don’t expect other CPU architectures, such as ARM, MIPS, POWER, SPARC or RISC-V to be vulnerable.

“However, we don’t exclude the existence of other similarly sensitive instructions that may execute speculatively,” they added.

Botezatu also noted that, while the company’s Hypervisor Introspection technology can detect attacks and mitigate the risk of attack by instrumenting each vulnerable SWAPGS instruction and making sure it won’t execute speculatively, operating system patches should be the first line of defense.

The company said that they expect Apple devices not be vulnerable, but that the final and definite say on that should come from Apple.

Bitdefender is scheduled to present their findings at Black Hat USA 2019.

UPDATE (August 7, 2019, 2:43 a.m. PT):

Although Bitdefender tested two AMD CPUs and found that neither exhibited speculative behavior for the SWAPGS instruction, and although AMD says that they believe its products are, for that reason, not vulnerable to the SWAPGS variant attack, a Red Hat advisory says that the vulnerability “applies to x86-64 systems using either Intel or AMD processors.”

Microsoft also mentions AMD and ARM-based systems being vulnerable to Spectre attacks, but it’s unclear whether this latest variant (SWAPGS attack) would affect them. The company provided security updates with fixes for various Windows versions, including Windows 10 for ARM64-based systems.

Don't miss