Security researchers from Google and Microsoft have found two new variants of the Spectre attack that affects processors made by AMD, ARM, IBM, and Intel.
Rumors about this new flaw leaked online at the start of the month in a German magazine, but actual details were published today.
AMD,
ARM,
Intel,
Microsoft, and
Red Hat have published security advisories at the time of writing, containing explanations of how the bugs work, along with mitigation advice.
Bug known as SpectreNG
The bugs —referred to in the past weeks as SpectreNG— are related to the previous Meltdown and Spectre bugs discovered last year and announced at the start of 2018.
Both Google and Microsoft researchers discovered the bug independently. The bugs work similarly to the Meltdown and Spectre bugs, a reason why they were classified as "variant 3a" and "variant 4" instead of separate vulnerabilities altogether.
Variant 1: bounds check bypass (CVE-2017-5753) aka Spectre v1
Variant 2: branch target injection (CVE-2017-5715) aka Spectre v2
Variant 3: rogue data cache load (CVE-2017-5754) aka Meltdown
Variant 3a: rogue system register read (CVE-2018-3640)
Variant 4: speculative store bypass (CVE-2018-3639)
The most important of these two is Variant 4. Both bugs occur for the same reason —
speculative execution— a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data.
The difference is that Variant 4 affects a different part of the speculative execution process —the data inside the "store buffer" inside a CPU's cache. Red Hat has published a YouTube video explaining how the bug affects modern CPUs.
https://www.youtube.com/embed/Uv6lDgcUAC0
As Red Hat breaks it down in a more technical explanation, the vulnerability...
...relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.
"An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries," Microsoft said in a similar advisory, confirming a Red Hat assessment that the flaw could be used to break out of sandboxed environments.
So here is #spectre variant 4. The processor speculates that your write operation does not change anything and continues with the outdated (possibly non-sanitized) value from L1.https://t.co/ZcjaTSrLNW
— Daniel Gruss (@lavados) May 21, 2018
Google's Jann Horn, the man behind the Meltdown and Spectre flaws, has also published
proof-of-concept code.
Intel and AMD x86 chipsets, along with POWER 8, POWER 9, System z, and ARM CPUs are known to be affected. Intel has published a detailed list of affected CPU series in a security advisory.
Variant 4 can be exploited remotely, via JavaScript code in the browser. Microsoft said it did not detect any exploitation attempts, though.
Additional patches released
Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel Corporation, said that the original Meltdown and Spectre patches from January 2018 should be enough to mitigate Variant 4 as well.
Nonetheless, Intel also announced new patches.
"We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks,"
Culbertson said. "This mitigation will be set to off-by-default, providing customers the choice of whether to enable it."
"In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent," Culbertson added.
Red Hat and Microsoft announced new patches as well (see links to security advisories for mitigation advice).
Source
