Google and Microsoft, the worlds biggest when it comes to tech companies, are jointly disclosing a new CPU security vulnerability that’s similar to the Spectre and Meltdown flaws that were revealed earlier this year. The security researchers of Intel identified two software analysis methods that, if used for malicious purposes, they are saying it has the potential to improperly gather sensitive data from multiple types of computing devices and operating systems.
Unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs which can affect performance. Intel (in no time) has already released microcode updates for Speculative Store Bypass in beta form to OEMs, and Intel also expects all the original equipment manufacturers to be more broadly available in the coming weeks as this situation continues to manifest. These updates will be setting the Speculative Store Bypass protection to off-by-default, this is a move which looks to ensure that most users won’t see negative performance impacts.
“As part of this ongoing work, today Intel and other industry partners are providing details and mitigation information for a new derivative of the original vulnerabilities impacting us and other chipmakers. This new derivative is called Variant 4, and it’s being disclosed jointly by GPZ and Microsoft’s Security Response Center (MSRC).*
In the spirit of Intel’s security first pledge, I want to explain what this new variant is and how customers can protect themselves. As I do this, let me start by saying that we have not seen any reports of this method being used in real-world exploits. Moreover, there are multiple ways for consumers and IT professionals to safeguard their systems against potential exploits, including browser-based mitigations that have already been deployed and are available for use today.” Explains Leslie Culbretson, Intel’s Security Chief.
The United States Computer Emergency Readiness Team (US-CERT) has officially sent out and alert explaining that “On May 21, 2018, new variants—known as 3A and 4—of the side-channel central processing unit (CPU) hardware vulnerability were publically disclosed. These variants can allow an attacker to obtain access to sensitive information on affected systems.”.
What are these variants?
Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information.
Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side-channel vulnerability could allow less privileged code to
- Read arbitrary privileged data; and
- Run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side-channel methods.
Corresponding CVEs for Side-Channel Variants 1, 2, 3, 3a, and 4 are found below:
- Variant 1: Bounds Check Bypass – CVE-2017-5753
- Variant 2: Branch Target Injection – CVE-2017-5715
- Variant 3: Rogue Data Cache Load – CVE-2017-5754
- Variant 3a: Rogue System Register Read – CVE-2018-3640
- Variant 4: Speculative Store Bypass – CVE-2018-3639
Although, end users (and particularly system administrators) will have to pick between security or optimal performance. The real choice, just like previous variants of Spectre, will ultimately be down to individual systems and servers, along with the fact that this new variant appears to be less of a risk than the CPU flaws discovered earlier this year. However, still a strong flaw that can be used to steal your information.
This 3 minute video by Red Hat Videos shows you how Speculative Store Buffer Bypass is different and what’s being done about it.
NCCIC recommends users and administrators
- Refer to their hardware and software vendors for patches or microcode,
- Use a test environment to verify each patch before implementing, and
- Ensure that performance is monitored for critical applications and services.
- Consult with vendors and service providers to mitigate any degradation effects, if possible.
- Consult with Cloud Service Providers to mitigate and resolve any impacts resulting from host operating system patching and mandatory rebooting, if applicable.
The following table contains links to advisories and patches published in response to the vulnerabilities. This table will be updated as information becomes available.
|Link to Vendor Information||Date Added|
|AMD||May 21, 2018|
|ARM||May 21, 2018|
|Microsoft||May 21, 2018|
|Redhat||May 21, 2018|
ref: US-CERT-Alert (TA18-141A).