alswart - stock.adobe.com
Industry collaborates to patch SwapGS CPU vulnerability
Newly disclosed SwapGS vulnerability in modern processors has been patched in Windows, Linux and ChromeOS, underlining the importance of keeping systems up to date
Security researchers have disclosed a new Spectre variant, but systems are safe from the nasty new side channel attack if they are patched up to date.
Collaboration between researchers from security firm Bitdefender, chip makers and software suppliers has ensured the availability of patches ahead of the vulnerability being made public.
Initial indications are that the industry has learned lessons from the setbacks suffered during the Spectre and Meltdown disclosure process.
Patching is once again extremely important, because knowledge of flaw would give attackers sweeping powers to blackmail, steal, spy and sabotage worldwide by enabling access to passwords, tokens, private conversations, encryption and other sensitive data, the researchers warn.
The latest side channel attack to come to light exploits speculative execution in modern 64-bit processors with hyper-threading and speculative execution technology.
Speculative execution is a functionality that seeks to speed up the CPU by having it make educated guesses as to which instructions might come next. But this approach can leave traces in-cache, which attackers can exploit to leak privileged, kernel memory.
Exploiting the vulnerability discovered by Bitdefender would enable an attacker to access all information in the operating system kernel memory.
The proof-of-concept attack also bypasses all known mitigations implemented after the discovery of Spectre and Meltdown in early 2018, the researchers warn, adding that servers, desktops and laptops are all potentially impacted, affecting enterprise and home users.
Although Microsoft, Intel, and Red Hat have all stated that the vulnerability exists in all modern CPUs, Bitdefender researchers have been able to exploit it only on Intel CPUs.
Chip maker AMD has stated that its processors are not affected. “AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data,” it said. “Based on external and internal analysis, AMD believes it is not vulnerable to the SwapGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1.”
The vulnerability specifically affects all Intel CPUs that support speculative execution of the SwapGS instruction, which means all Intel processors from Ivy Bridge (introduced in 2012) to the latest processor series available.
“An attacker can force arbitrary memory dereferences in kernel, which leaves traces within the data caches,” the researchers said in a blog post. “These signals can be picked up by the attacker to infer the value located at the given kernel address.
Gavin Hill, vice-president, datacentre and network security products at Bitdefender, said: “Criminals with knowledge of these attacks would have the power to uncover the most vital, best-protected information of both companies and private individuals around the world.
“Research into these attacks is on the cutting edge as it gets to the very roots of how modern CPUs operate and requires a thorough understanding of CPU internals, OS internals, and speculative-execution side-channel attacks in general.”
The Bitdefender proof-of-concept attack combines Intel speculative execution of instructions and the use of a specific instruction by Windows operating systems within what is known as a “gadget”.
Bitdefender said it has worked with Intel for more than a year on public disclosure of this attack, which has enabled Microsoft and the other ecosystem partners to issue patches or to continue assessing the need to issue patches.
Read more about side-channel attacks
- Fixes for the Spectre variant 2 vulnerability affect system performance, so some in the tech sector wonder whether they are worth it.
- Foreshadow, a set of newly discovered L1TF vulnerabilities, exploits Intel processors via side-channel attacks.
- New variants of the Spectre microprocessor bugs use buffer overflow-style attacks to run malicious code.
In a coordinated disclosure, Intel, Microsoft, Red Hat and Google have released advisories about the SwapGS vulnerability.
The Intel statement said: “Intel, along with industry partners, determined that the issue was better addressed at the software level and connected the researchers to Microsoft.
“It takes the ecosystem working together to collectively keep products and data more secure and this issue is being coordinated by Microsoft.”
Microsoft said in a statement: “We are aware of this industry-wide issue and have been working closely with affected chip manufacturers and industry partners to develop and test mitigations to protect our customers.
“We released security updates in July and customers who have Windows Update enabled and applied the security updates are protected automatically.”
In a security advisory, Microsoft said: “To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application.
“The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further.”
Red Hat said it had been made aware of an “additional Spectre V1-like attack vector, requiring updates to the Linux kernel.
“This additional attack vector builds on existing software fixes shipped in previous kernel updates,” it said. “This vulnerability only applies to x86-64 systems using either Intel or AMD processors.”
Google said it had patched the issue in ChromeOS 4.19 and updated its Spectre admin guide to include information about the SwapGS vulnerability.