Tuesday, March 5th 2019

Spoiler Alert: New Security Vulnerability Found Affecting Intel CPUs

A new security vulnerability has been found that only affects Intel CPUs - AMD users need not concern regarding this issue. Dubbed Spoiler, the newfound security vulnerability was discovered by the Worcester Polytechnic Institute in partnership with the University of Lübeck, and affects all Intel CPUs since the introduction of their Core architecture. This vulnerability too affects Intel's speculative execution design, and according to the researchers, works independent of OS, virtual machine, or sandboxed environments.

As the researchers explain, Intel's speculative execution of certain memory workloads requires the full physical address bits for the information in memory to be known, which could allow for the full address to be available in user space - allowing for privilege escalation and other microarchitectural attacks. According to the researchers, a software solution to this problem is impossible, which means this is yet another silicon-level bug that needs to be addressed in future processor designs.
Source: White Paper
Add your own comment

114 Comments on Spoiler Alert: New Security Vulnerability Found Affecting Intel CPUs

#51
lexluthermiester
moproblems99, post: 4007036, member: 155919"
If that were true, things like privilege escalation exploits wouldn't exists. The truth is, if someone wants your data, they will get it. No matter where it is. At home, a data center, your phone. The web is fundamentally insecure.
Can't argue with that, because it's true. What I meant was that these particular vulnerabilities are very fundamentally difficult to pull off remotely.
Posted on Reply
#52
yakk
WHOOAA! Didn't realize this could be done in conjunction to speed up simple java script attack vectors :eek:

Now, this has the potential to get real bad, relatively quickly and not just for servers once the hacking tools become more common and readily available.
Posted on Reply
#53
SoNic67
I am sure AMD CPUs are affected too... This is not negligence, it is a principle bug. Every processor needs speculative execution , or else will crawl. And that opens the gate to this kind of attacks.
They just didn't found the AMD one yet.

It's funny that a similar comment above got down voted.
Posted on Reply
#54
lexluthermiester
yakk, post: 4007195, member: 158293"
WHOOAA! Didn't realize this could be done in conjunction to speed up simple java script attack vectors :eek:
Thinking I missed something. Where did you read that?
Posted on Reply
#55
yakk
lexluthermiester, post: 4007220, member: 134537"
Thinking I missed something. Where did you read that?
You can read through the research paper (tedious even if you understand it), but here is a good summary of how it could be done.

Basically in principal (until systematically proven, but by the looks of it, sure seems likely) the exploit can run at the same time as a simple web site java script.

ie: The exploit can lift the information from server memory operations when lets say... it could be comparing passwords in memory for authorization and feed it back to the running java script which could just use it in a brute force attack, without needing the brute force anymore.

Do this fast enough even 2FA could be exploited.
Posted on Reply
#56
moproblems99
yakk, post: 4007254, member: 158293"
You can read through the research paper (tedious even if you understand it), but here is a good summary of how it could be done.

Basically in principal (until systematically proven, but by the looks of it, sure seems likely) the exploit can run at the same time as a simple web site java script.

ie: The exploit can lift the information from server memory operations when lets say... it could be comparing passwords in memory for authorization and feed it back to the running java script which could just use it in a brute force attack, without needing the brute force anymore.

Do this fast enough even 2FA could be exploited.
The problem is that the attacker needs to get the script on the server to begin with. That requires at least successfully exploiting one other vulnerability which is likely going to be XSS (cross site scripting) because a ridiculously high number of sites are vulnerable (read: nearly any).
Posted on Reply
#57
yakk
moproblems99, post: 4007267, member: 155919"
The problem is that the attacker needs to get the script on the server to begin with. That requires at least successfully exploiting one other vulnerability which is likely going to be XSS (cross site scripting) because a ridiculously high number of sites are vulnerable (read: nearly any).
Or maybe turn it around to the user's computer using a password manager, which is probably much easier to infect than a "well patched" server.

The possibilities are wide open at this point. The more I'm reading, the more this seems like the most flexible exploit I've seen in a very long time.
Posted on Reply
#59
moproblems99
yakk, post: 4007270, member: 158293"
Or maybe turn it around to the user's computer using a password manager, which is probably much easier to infect than a "well patched" server.

The possibilities are wide open at this point. The more I'm reading, the more this seems like the most flexible exploit I've seen in a very long time.
Javascript will be the scourge of the internet for a while. The problem with the web is the insecurity is built into the HTTP protocol itself as being an RFC compliant server means you have to be backwards compatible with previous HTTP versions. Just look up HTTP 0.9 and then proceed to cry.
Posted on Reply
#60
syrup
juiseman, post: 4006216, member: 182553"
If it ain't broke don't fix...
Still mourning the loss of that approach with software in the Internet era, but at least we hadn't so far been 'forced' to unnecessarily upgrade PC hardware to maintain security.
Posted on Reply
#62
John Naylor
moproblems99, post: 4006534, member: 155919"
In my opinion, it is great that security is finally getting highlighted. Now people will understand that 90% of business don't give two poos about protecting your data. This may not be a problem for consumers...until it is. Just remember the processors sitting in all those data centers holding all of your data. Then you find out that every piece of software and hardware you use on a daily basis makes Swiss cheese look like concrete because security and privacy is the first thing that gets thrown out the windows when the budget hammer comes down. Disgusting, frankly.

Truth be told, 9/10 users don't need to worry about this. Most of these attacks require people that actually know what they are doing. The morons will get sniffed out before they have a chance to do anything.
I find the biggest attention threads like this is fans of both sides doing oneupsmanship each time a new vulnerability is discovered. For example, if someone asks whether Corsair AIOs presents a real world risk , I could do a web search and I'd find .... Ok is doesn't happen often but it does happen so that's not 100% ... you decide if it's worth the risk.

https://forums.tomshardware.com/threads/my-corsair-h60-exploded.326466/
h ttps://www.reddit.com/r/buildapc/comments/4pxjp2/corsair_h100i_v2_exploded_on_my_3_day_old_build/

But if if some one asks whether this or that vulnerability from AMD / Intel presents a risk ... I have yet to come up with any real world scenario where someone says "this happened to me"
Posted on Reply
#63
moproblems99
You're quite right. It is very unlikely anyone will deal with this directly. But it could affect any of us indirectly.

Neither 'side' should gloat. Any CPU that performs speculative execution is flawed.
Posted on Reply
#64
R-T-B
jmcslob, post: 4006210, member: 67555"
So in other words they discovered the NSA's back door.
Yeah, no. Timing based attacks and stuff like this really aren't backdoors but incredibly advanced reverse engineering of an incredibly complex machine. If it's a backdoor, it's a helluva bad one.

GloryToYou, post: 4006224, member: 184404"
Nah. This is likely a legitimate bug. The NSA backdoor is in the Intel Management Engine.
https://en.wikipedia.org/wiki/Intel_Management_Engine
See my post where I disect and scrub the management engine from some asrock boards. TL;DR: Even that is not really able to function as a backdoor.

phanbuey, post: 4006375, member: 45008"
So you would have to have code running on the machine that sits there looking for the moment when it can intercept a full address to a page in memory, and then grab that out of memory, in the hopes that it has sensitive data in there.

And after I grab that sensitive data and figure out how to use it, I will clean my house with a toothpick.
On datacenters that rent out servers this is a real issue. Suddenly anyone with a login that can execute anything can privilege escalate.

Beyond that, it's of limited scope.

moproblems99, post: 4007036, member: 155919"
If that were true, things like privilege escalation exploits wouldn't exists. The truth is, if someone wants your data, they will get it. No matter where it is. At home, a data center, your phone. The web is fundamentally insecure.
It's all about making the data harder to get than it is worth.

That barrier works. Things like this massively break down that barrier, though.

eidairaman1, post: 4006635, member: 40556"
bulldozer it is not...

Piledriver it is
Begun, the clone wars has...

/yoda speak
Posted on Reply
#65
jaggerwild
yakk, post: 4007254, member: 158293"
You can read through the research paper (tedious even if you understand it), but here is a good summary of how it could be done.

Basically in principal (until systematically proven, but by the looks of it, sure seems likely) the exploit can run at the same time as a simple web site java script.

ie: The exploit can lift the information from server memory operations when lets say... it could be comparing passwords in memory for authorization and feed it back to the running java script which could just use it in a brute force attack, without needing the brute force anymore.

Do this fast enough even 2FA could be exploited.
Its posts like this that make this site laughable!!!! OH more FEAR PLEASE!!!!!!
Posted on Reply
#66
ArbitraryAffection
SoNic67, post: 4007219, member: 152626"
I am sure AMD CPUs are affected too... This is not negligence, it is a principle bug. Every processor needs speculative execution , or else will crawl. And that opens the gate to this kind of attacks.
They just didn't found the AMD one yet.

It's funny that a similar comment above got down voted.
Pains me to say it but you are likely correct. Intel has much higher marketshare and of course most people are going to try to target Intel architecture first.
Posted on Reply
#67
yakk
jaggerwild, post: 4008625, member: 61229"
Its posts like this that make this site laughable!!!! OH more FEAR PLEASE!!!!!!
There's plenty more, search for yourself. Or better yet, read the research paper. :)
Posted on Reply
#68
hat
Enthusiast
ArbitraryAffection, post: 4008626, member: 145270"
Pains me to say it but you are likely correct. Intel has much higher marketshare and of course most people are going to try to target Intel architecture first.
I'm sure AMD will suddenly get lots more attention when/if EPYC makes a significant dent in Intel's market share in the server space...

It's like one of the oldest arguments for using Linux, or even Mac. "Everyone makes viruses for Windows! There are no viruses for Linux/Mac". Because Windows is by far the bigger target...
Posted on Reply
#69
lexluthermiester
hat, post: 4008869, member: 32804"
It's like one of the oldest arguments for using Linux, or even Mac. "Everyone makes viruses for Windows! There are no viruses for Linux/Mac". Because Windows is by far the bigger target...
Which we all know that is a load of nonsense. There are even Unix and BSD virii/malware.
Posted on Reply
#70
hat
Enthusiast
Probably. 10 years ago I didn't question that statement, but today I am aware that, even though Windows is still by far the most popular desktop OS, Linux is in heavy use in server environments. Surely it's a big enough target for someone to bother with?
Posted on Reply
#71
R-T-B
lexluthermiester, post: 4008872, member: 134537"
Which we all know that is a load of nonsense. There are even Unix and BSD virii/malware.
Personally, I'm more afraid to run an unpatched linux server than a Windows one.

Why? One word. Root. Root is way too powerful.
Posted on Reply
#72
lexluthermiester
R-T-B, post: 4009001, member: 41983"
Personally, I'm more afraid to run an unpatched linux server than a Windows one.

Why? One word. Root. Root is way too powerful.
While you have a point, there are measures and fail-safes that can and do protect from such problems.
Posted on Reply
#73
moproblems99
lexluthermiester, post: 4009016, member: 134537"
While you have a point, there are measures and fail-safes that can and do protect from such problems.
root is game over.
Posted on Reply
#74
lexluthermiester
moproblems99, post: 4009054, member: 155919"
root is game over.
Root is nothing more than Administrator functionality. Works the exact same way in Windows. Calling it "game over" is making a mountain out of an ant-hill.
Posted on Reply
#75
trparky
lexluthermiester, post: 4009089, member: 134537"
Root is nothing more than Administrator functionality. Works the exact same way in Windows.
And yet people still run as admin on Windows. I at least have the common sense to run with UAC enabled.
Posted on Reply
Add your own comment