Microsoft quietly patches fresh speculative execution flaw affecting Intel processors

Roland Moore-Colyer
07 August 2019

Tweet
Facebook
Send to

MICROSOFT HAS QUIETLY PATCHED a serious side-channel flaw that abuses speculative execution functions in processors, akin to the Spectre and Meltdown flaws.

Cybersecurity firm Bitdefender found and flagged the vulnerability, tagged as CVE-2019-1125, to Microsoft some 12 months ago, and noted the flaw allowed for a what it called a SWAPGS Attack, so-called as it exploits the use of the SWAPGS instruction that handles the interaction of speculative execution in Intel chips and its interaction with Windows.

The vulnerability affects all Intel CPUs from the Ivy Lake generation onwards, though Bitdefender noted that other chips could also be affected.

While there have been numerous patches pushed out to plug the security holes presented by Meltdown and variants of the Spectre flaws, this flaw bypasses the mitigations, thereby making it a pretty severe one.

"What we have found is a way to exploit the SWAPGS instruction which switches from userland to kernel mode in such a way that we could... carry out a side-channel attack," Bogdan Botezatu, Bitdefender's director of threat research and reporting, told Ars Technica. "By doing that, we are going to leak kernel memory into the user space even if there are security measures that should prevent us from doing that."

Bitdefender explained there are two stages to the SWAPGS Attack, the first being when SWAPGS isn't being used in the speculative execution process when it should, and the second being when it's used in speculative execution when it shouldn't be.

If exploited, the SWAPGS Attack could end up prodding a processor to leak sensitive information from a system's kernel memory, such as passwords and encryption keys.

That being said, an attacker would still need to have the ability to login and access an affected machine, as Microsoft noted: "The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further."

It's also worth noting that while the vulnerability technically exists on other operating systems using the affected Intel processors, though Bitdefender pointed out that they aren't open to any real exploitation.

The SWAPGS Attack could be exploited it within cloud services, where there could be a host of sensitive data that major hacking groups or state-sponsored hackers could go after, as the vulnerability allows for a virtual machine to effectively pilfer sensitive data from another.

However, virtual machine and cloud wrangler Red Hat noted that it's aware of the flaw and doesn't see a way it can be exploited n Linux-based systems, though it has pushed out patches to fix things just in case.

"Red Hat has been made aware of an additional spectre-V1 like attack vector, requiring updates to the Linux kernel in combination with microcode updates," the company said. "This additional attack vector builds on existing software fixes shipped in previous kernel and microcode updates. This vulnerability only applies to x86-64 systems using either Intel or AMD processors."

However, when it comes to Team Red's CPUs, AMD circulated a statement acknowledging the research but claimed its chips are not vulnerable to the SWAPGS Attack: "Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS."

Intel threw around a statement noting it's worked with industry partners to plug the flaw and that Microsoft was best positioned to fix things: "Intel, along with industry partners, determined the issue was better addressed at the software level and connected the researchers to Microsoft. It takes the ecosystem working together to collectively keep products and data more secure, and this issue is being coordinated by Microsoft."

So all in all, the new processor flaw doesn't see to be that much of big deal, providing people ensure their systems are up to date and keep dodgy folks away from their computers and server farms. But it does yet again indicate how problematic speculative execution flaws are in terms of completely protecting against them. µ