1)[1] side-channel
vulnerability has been discovered that affects modern Intel
CPUs[2] which leverage
speculative-execution, and some AMD processors as well, Microsoft
and Red Hat warn.
Identified as CVE-2019-1125, the vulnerability could allow
unprivileged local attackers to access sensitive information stored
in the operating system privileged kernel memory, including
passwords, tokens, and encryption keys, that would otherwise be
inaccessible.
Speculative execution is a core component of modern
microprocessor design that speculatively executes instructions
based on assumptions that are considered likely to be true. If the
assumptions come out to be valid, the execution continues,
otherwise discarded.
Such speculative executions also have side effects that are not
restored when the CPU state is unwound, leading to information
disclosure, which can then be accessed using side-channel
attacks[3].
Microsoft[4]
silently issued patches for the new speculative
execution vulnerability[5]
in its July 2019 Patch Tuesday security update which was discovered
and responsibly disclosed by researchers at security firm Bitdefender[6].
According to a security advisory released today by Red Hat[7], the attack relies on
speculatively executing unexpected SWAPGS instructions after a
branch gets mispredicted.
SWAPGS instruction is a privileged system instruction that swaps
the values in the GS register with the MSR values and is only
available on devices with x86-64 architecture.
“Since SWAPGS can be executed speculatively inside user-mode, an
attacker can leak the address of the per-CPU data, normally
available to only the kernel,” researchers say.
provided by modern CPUs and can be used to leak sensitive kernel
memory from unprivileged user mode.
“It is possible that these conditional branches in the Linux kernel
entry code may mis-speculate into code that will not perform the
SWAPGS, resulting in a window of speculative execution during which
the wrong GS is used for dependent memory operations,” RedHat says
in its advisory.
known mitigations implemented after the discovery of Spectre and
Meltdown[8] vulnerabilities in early
2018 that put practically every computer in the world at risk.
Though the Linux kernel also contains a gadget which may be
exploited to target Linux systems in an attack, researchers believe
exploiting Linux operating systems could slightly be tougher than
Windows computers.
Since the attack can not be launched remotely, it is unlikely to
cause mass malware infections, like EternalBlue was used for
WannaCry; instead, it can be exploited as part of an extremely
targeted attack.
Affected users can address this issue through a software update
for their operating systems that would mitigate how the CPU
speculatively accesses memory.
Meanwhile, Google[9] has also prepared a
patch to fix this vulnerability in its ChromeOS 4.19 with a
soon-to-be-released update, describing the flaw as:
“An attacker can train the branch predictor to speculatively skip
the swapgs path for an interrupt or exception. If they initialize
the GS register to a user-space value, if the swapgs is
speculatively skipped, subsequent GS-related percpu accesses in the
speculation window will be done with the attacker-controlled GS
value. This could cause privileged memory to be accessed and
leaked.”
References
- ^
Spectre (Variant 1)
(thehackernews.com) - ^
modern Intel CPUs
(thehackernews.com) - ^
side-channel attacks
(thehackernews.com) - ^
Microsoft
(portal.msrc.microsoft.com) - ^
speculative execution vulnerability
(thehackernews.com) - ^
Bitdefender
(labs.bitdefender.com) - ^
Red Hat
(access.redhat.com) - ^
Spectre and Meltdown
(thehackernews.com) - ^
Google
(chromium.googlesource.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/bv3k3f5bFR0/swapgs-speculative-execution.html