Two New Spectre-Class CPU Flaws Discovered—Intel Pays $100K Bounty
Intel has paid out a $100,000 bug bounty for new processor vulnerabilities that are related to Spectre variant one (CVE-2017-5753).
The new Spectre-class variants are tracked as Spectre 1.1 (CVE-2018-3693) and Spectre 1.2, of which Spectre 1.1 described as a bounds-check bypass store attack has been considered as more dangerous.
Earlier this year, Google Project Zero researchers disclosed details of Variants 1 and 2 (CVE-2017-5753 and CVE-2017-5715), known as Spectre, and Variant 3 (CVE-2017-5754), known as Meltdown.
Spectre flaws take advantage of speculative execution, an optimization technique used by modern CPUs, to potentially expose sensitive data through a side channel by observing the system.
Speculative execution is a core component of modern processors design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues, otherwise discarded.
New Spectre-Class CPU Vulnerabilities
A team of researchers—Vladimir Kiriansky of MIT and Carl Waldspurger of Carl Waldspurger Consulting—has now discovered two sub-variants of Spectre Variant one.
The new Spectre variants come almost a month after researchers from Microsoft and Google disclosed a Spectre Variant 4 impacting modern CPUs in millions of computers, including those marketed by Apple.
Spectre 1.1: Bounds Check Bypass on Loads
Spectre Variant 1.1 is a sub-variant of the original Spectre Variant 1 that leverages speculative stores to create speculative buffer overflows.
This buffer overflow issue in the CPU store cache could allow an attacker to write and execute malicious code that could potentially be exploited to extract data from previously-secured CPU memory, including passwords, cryptographic keys, and other sensitive information.
“The ability to perform arbitrary speculative writes presents significant new risks, including arbitrary speculative execution,” the researchers wrote in their research paper.
“It also allows attackers to bypass recommended software mitigations for previous speculative-execution attacks.”
Spectre1.2: Read-only Protection Bypass
Spectre variant 1.2 depends on lazy PTE enforcement, the same mechanism on which exploitation of Meltdown flaw relies.
This flaw could allow a potential attacker to bypass the Read/Write PTE flags, which eventually will enable them to overwrite read-only data memory, code metadata, and code pointers to avoid sandboxes.
“In a Spectre 1.2 attack, speculative stores are allowed to overwrite read-only data, code pointers, and code metadata, including vtables, GOT/IAT, and control-flow mitigation metadata,” the researchers said.
Though ARM has also acknowledged the existence of Spectre 1.1 flaw in its blog post published today, the chip maker has not explicitly mentioned which ARM CPUs are especially vulnerable to Spectre 1.1 and Spectre 1.2. AMD has yet to acknowledge the issues.
Microsoft, Red Hat and Oracle have also released advisories, saying that they are still investigating if any of their products are vulnerable to the new Spectre variants.
“These issues are likely to primarily impact operating systems and virtualization platforms, and may require a software update, microcode update, or both,” said Oracle’s director of security assurance Eric Maurice.
“Fortunately, the conditions of exploitation for these issues remain similar: malicious exploitation requires the attackers to first obtain the privileges required to install and execute malicious code against the targeted systems.”
Intel thanked Kiriansky and Waldspurger for responsibility reporting the new vulnerabilities to the chip maker and paid out $100,000 to Kiriansky via its bug bounty program on HackerOne.