Spectre And Meltdown Still Haunting Intel/AMD

The ongoing saga of the Spectre and Meltdown vulnerabilities has just taken a new turn. Discovered by Google Project Zero (GPZ) and Microsoft, the new variants affect everything from desktops, laptops and mobile devices to infrastructure-as-a-service. These flaws are present in nearly all modern microprocessors and could allow an attacker to steal sensitive information by accessing privileged memory as a result of abusing a feature called speculative execution. We’ve been following the ongoing developments of these vulnerabilities from their first disclosure back in January 2018 and have released coverage to help keep our customers secure based on previous developments. The vulnerability has continued to evolve – variants of Spectre have surfaced that utilize speculative execution side-channel attack methods and have been assigned CVE-2018-3639 as well as CVE-2018-3640.

The new derivatives are called Variant 3a (Rogue System Register Read (RSRE)) and Variant 4 (Speculative Store Bypass) and were discovered and jointly disclosed by GPZ and Microsoft's Security Response Center (MSRC).

Impact assessment

According to CERT, Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to access sensitive information on affected systems. When the original Spectre and Meltdown vulnerabilities were disclosed, many companies like Intel, Red Hat and Microsoft issued updates to patch the issues. However, the fixes haven't always worked as intended, and some customers experienced performance as well as other issues when they applied the patches.

This time around, Intel has delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors. This mitigation has been set to off by default, providing their customers the choice of whether to enable it. With the configuration set to off, they have observed no performance impact. However, if enabled, they observed a performance impact of approximately two to eight percent based on overall scores for benchmarks. They expect it will be further released into production BIOS and software updates over the coming weeks by various vendors.

Vulnerability details

Intel is classifying Variant 3a as a medium-risk vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information.

Intel is classifying Variant 4 as a medium-risk vulnerability that exploits “speculative bypass.”
When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. Many of the exploits it uses were fixed in the original set of patches for Spectre and Meltdown. This makes real-world exploitation of these issues harder.

Exploitation

Intel has stated they haven’t received any reports of this method being used in real-world exploits. In addition, mitigation techniques that were deployed for Variant 1 back in January can also be applied to Variant 4, which are already available. Additionally, Intel and its partners will be providing a combination of microcode and software updates for mitigating Variant 4.

According to a Microsoft Security release, an attacker could read privileged data across trust boundaries with a successful exploit: "Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel." With that being said Microsoft has also stated, "At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate."

Red Hat’s VP of the operating system platform, Denise Dumas, issued a statementsaying: “These vulnerabilities could allow a malicious actor to steal sensitive information from almost any computer, mobile device, or cloud deployment. Importantly, several technology industry leaders, including Red Hat, have worked together to create patches that correct this issue, underscoring the value of industry collaboration. It is key that everyone -- from consumers to enterprise IT organizations -- apply the security updates they receive. Because these security updates may affect system performance, Red Hat has included the ability to disable them selectively in order to better understand the impact on sensitive workloads.”

Urgently required actions

Refer to hardware and software vendors for patches or microcode and deploy as soon as they are available.

Tenable Research is monitoring the situation and will release coverage as required to help keep our customers secure.

Identifying affected systems

• Refer to hardware and software vendors’ releases.

Get more information

• Intel Tech Release
• Microsoft Security Release
• Red Hat Tech Release
• Red Hat Speculative Store Bypass
• Learn more about Tenable.io®, the first Cyber Exposure platform for holistic management of your modern attack surface
• Get a free 60-day trial of Tenable.io Vulnerability Management

Editor's Note: This post was edited for accuracy on May 23, 2018.