• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

New vulnerabilities incoming - Spectre-NG

ikeke

ikeke

Joined
May 6, 2012
Messages
184 (0.04/day)
Location
Estonia
System Specs
System Name Steamy
Processor Ryzen 7 2700X
Motherboard Asrock AB350M-Pro4
Cooling Wraith Prism
Memory 2x8GB HX429C15PB3AK2/16
Video Card(s) R9 290X WC
Storage 960Evo 500GB nvme
Case Fractal Design Define Mini C
Power Supply Seasonic SS-660XP2
Software Windows 10 Pro
Benchmark Scores http://hwbot.org/user/kinski/ http://valid.x86.fr/qfxqhj https://goo.gl/uWkw7n
https://www.heise.de/ct/artikel/Exc...U-flaws-revealed-several-serious-4040648.html

Eight new security flaws
Click to expand...
Each of the eight vulnerabilities has its own number in the Common Vulnerability Enumerator (CVE) directory and each requires its own patches. It is likely that each vulnerability will receive its own name. Until then, we will jointly call these flaws Spectre-NG in order to distinguish them from the previously uncovered issues.

So far we only have concrete information on Intel's processors and their plans for patches. However, there is initial evidence that at least some ARM CPUs are also vulnerable. Further research is already underway on whether the closely related AMD processor architecture is also susceptible to the individual Spectre-NG gaps, and to what extent.

Intel is already working on its own patches for Spectre-NG and developing others in cooperation with the operating system manufacturers. According to our information, Intel is planning two waves of patches. The first is scheduled to start in May; a second is currently planned for August.
Click to expand...

One of the Spectre-NG flaws simplifies attacks across system boundaries to such an extent that we estimate the threat potential to be significantly higher than with Spectre. Specifically, an attacker could launch exploit code in a virtual machine (VM) and attack the host system from there – the server of a cloud hoster, for example. Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap. Intel's Software Guard Extensions (SGX), which are designed to protect sensitive data on cloud servers, are also not Spectre-safe.
Click to expand...

At least one looks really bad, showstopper for cloud services once exploited. The CVE's will be published on 5th May by current information.
 
amazing. Wonder what they will find in the new AMD chips.
 
I'm guessing these hardware vulnerabilities are gonna be a never ending thing?
 
hat said:
I'm guessing these hardware vulnerabilities are gonna be a never ending thing?
Click to expand...
there will always be some sort of vulnerability to squawk about.
 
I think the VM paradigm needs to shift to one physical core per virtual machine. Software VMs need to die. It will create more demand for lighter, manycore processors too.
 
FordGT90Concept said:
I think the VM paradigm needs to shift to one physical core per virtual machine. Software VMs need to die. It will create more demand for lighter, manycore processors too.
Click to expand...
Then what happens when you need multi core performance in your VM?
 
Maybe it's time more businesses used closed networks. These "flaws" won't stop.
 
This news caused me to check the Asus website for a patched BIOS (for the 50th time!), and finally, there is a new BIOS posted for my Z97 Deluxe board (3503 beta). So I took a chance and flashed it - ran the Inspectre utility, and it now shows that my system is secure against both meltdown and Spectre, with good performance. I heard they haven't got around to the Z87 boards yet, but if you have Z97 Asus board, there should be one your model now. Now I'm going to benchmark this system to see if it lost any speed.
Screenshot (47).png

Am I still vulnerable these new variations? I guess we'll have to wait for the new version of Inspectre to find out! But I feel safer, somehow.
 
hat said:
Then what happens when you need multi core performance in your VM?
Click to expand...
No reason why you can't bridge a VM across multiple cores but multiple VMs should not have access to a single core. They need hardware isolation.
 
ikeke said:
https://www.heise.de/ct/artikel/Exc...U-flaws-revealed-several-serious-4040648.html
At least one looks really bad, showstopper for cloud services once exploited. The CVE's will be published on 5th May by current information.
Click to expand...

ugh kill me please. this is so blown out of proportion its insane.

Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap.
Click to expand...

Security is important
hardware flaws will always exist

the issue with flaws like this is you can say your CC number is also ACUTELY endangered. Your your address, or your favorite color. or really any word, verb thought or text that fits within the confines of the bits that are leaked. if you are activly scanning the pipeline you wanna know what you are really going to see?


SDFJASDFJ@(#$%@$#%R<DSFA)#R #@$T_)DSPA#_%RMF<ERHGFDGQAW)SEDKRR$54f548w4er513rf81dwe8f w43r4325rwqedrfw3e4rqw


99.9999999% of the time. Even if you managed to see P@ssw0rd come out of the buffer on a random system you happened to be targeting KNOWING what VM you were seeing is pretty much impossible. Second even if you did see ANYTHING you wouldnt even know it was in the context of a password. You would or maybe not see a dictionary term with some numbers at the end. and even if through MAGIC you somehow KNEW that was a password (and any of the random characters I just types could be) you still wouldn't even know WHAT it went too. C.O.O facebook account? Stans POS system login? some random string saved to a text document? Is it actually password attempts being brute forced by kain and able from another entity? You wouldnt even know.

Its a few bytes of text the processor holds in its pipeline being exposed to someone that had ADMINISTRATIVE access to the unit as is. It doesnt give you info in a humanly digestible format like


Facebook Login
Top Secret C-Level
Bill Gates
1 Microsoft Way, London
13:03 UTC

USN:billygates
PASS:101scubz
IP:9.9.9.9


the media in IT is starting to get closely related to main stream media on TV and it enrages me. Not giving the TECHNICAL details to TECHNICALLY minded people is a terrible approach. Why? because it does 2 of 2 things.

Creates mass histeria to the people that know enough to get in trouble

Makes people like grandma feel safe because it was "patched"
 
Meh, if someone wants your stuff, they are going to get it. All we can do is make em work for it.

Solaris17 said:
to someone that had ADMINISTRATIVE access
Click to expand...

I don't understand why people use this argument. If only something like...I dunno.....privilege escalation exploits exist......
 
moproblems99 said:
Meh, if someone wants your stuff, they are going to get it. All we can do is make em work for it.



I don't understand why people use this argument. If only something like...I dunno.....privilege escalation exploits exist......
Click to expand...

Argument? Only One of many points many of which your “privilege escalations” uses you know..... to escalate them to the privilege of......Administrator... of course even then your only half trying to mock(?) me. After all of your server and OS is already open and venlerable to PE and is so easily exploited you don’t need hardware level exploitation anyway.

After all low hanging fruit is key.
 
Not trying to insult you, although I certainly see how it came off like that, my apologies. My point is that Administrator access is not particularly hard to get.
 
moproblems99 said:
Not trying to insult you, although I certainly see how it came off like that, my apologies. My point is that Administrator access is not particularly hard to get.
Click to expand...

very much true. The problem is certainly deep. for example ford had a good idea. Why not isolate these machines physically? the only problem with this is thats not how scheduling works with virtual machines most other hyper visors are like that as well vmware oracle etc. regardless of OS it gets even more fun since there is OS task(kernel) scheduling and hardware (physical) scheduling. None are controllable via any software means.
 
Solaris17 said:
ugh kill me please. this is so blown out of proportion its insane.



Security is important
hardware flaws will always exist

the issue with flaws like this is you can say your CC number is also ACUTELY endangered. Your your address, or your favorite color. or really any word, verb thought or text that fits within the confines of the bits that are leaked. if you are activly scanning the pipeline you wanna know what you are really going to see?


SDFJASDFJ@(#$%@$#%R<DSFA)#R #@$T_)DSPA#_%RMF<ERHGFDGQAW)SEDKRR$54f548w4er513rf81dwe8f w43r4325rwqedrfw3e4rqw


99.9999999% of the time. Even if you managed to see P@ssw0rd come out of the buffer on a random system you happened to be targeting KNOWING what VM you were seeing is pretty much impossible. Second even if you did see ANYTHING you wouldnt even know it was in the context of a password. You would or maybe not see a dictionary term with some numbers at the end. and even if through MAGIC you somehow KNEW that was a password (and any of the random characters I just types could be) you still wouldn't even know WHAT it went too. C.O.O facebook account? Stans POS system login? some random string saved to a text document? Is it actually password attempts being brute forced by kain and able from another entity? You wouldnt even know.

Its a few bytes of text the processor holds in its pipeline being exposed to someone that had ADMINISTRATIVE access to the unit as is. It doesnt give you info in a humanly digestible format like


Facebook Login
Top Secret C-Level
Bill Gates
1 Microsoft Way, London
13:03 UTC

USN:billygates
PASS:101scubz
IP:9.9.9.9


the media in IT is starting to get closely related to main stream media on TV and it enrages me. Not giving the TECHNICAL details to TECHNICALLY minded people is a terrible approach. Why? because it does 2 of 2 things.

Creates mass histeria to the people that know enough to get in trouble

Makes people like grandma feel safe because it was "patched"
Click to expand...

Feels like a knee jerk reaction.
 
This issue has nothing to do with administrative access. Nothing to do with number of cores allocated to VM. Nothing to do with physical security.

VMs are, for applications running in them, treated as separate physical machines. These flaws allow to break these barriers.

There is no security procedure/layer on your instance that can circumvent flaw in HW logic that allows anyone with VM level access (which, if you have ever spun up a cloud instance on Amazon/Azure/Google/etc costs cents to few dollars) to the cloud service to compromize your instance.

It's nice to talk about "having a physical machine to do the thing you need to be done" but it is not cost effective and we've been moving towards virtualization since end of 90s. Without it most of the services as they are used by consumers every day wont be cost effective, ergo wont exist.
 
Last edited:
Brilliant something else we will not stop hearing about this now... :(
 
R-T-B said:
Yeah, because the initial release is so bug free you should never try to patch it. :laugh:
Click to expand...

Glad you could see the humor
 
So... news delayed, except that Intel reportedly has asked for nondisclosure extension to prepare patches.
Urgh...
P.S.
You got the monthly cumulative update on Patch Tuesday.
Has nothing to do with April 2018 Update (1803) being released so late.
 
You must log in or register to reply here.
Back
Top