The latest variant of the Spectre series of bugs have been discovered — the newest addition is the Spectre 1.1 vulnerability which is tracked under the CVE-2018-3693 security advisory. Like previous iterations it leverages a flaw that can create speculative buffer overflows. They allow malicious code to bypass the processor security measures thereby obtaining sensitive information.
Spectre 1.1 Vulnerability Identified and Tracked in CVE-2018-3693
The wave of speculative buffer overflow attacks continue as Vladimir Kiriansky and Carl Waldspurger published a paper showcasing details about the latest called the Spectre 1.1 vulnerability. It uses a similar mechanism to previous Spectre bugs by leveraging speculative stores that lead to the showcased buffer overflows. It is also called “Bounds Check Bypass Store” or shortened to BCBS to differentiate it from the other Spectre vulnerabilities.
The security vulnerability is tracked in the CVE-2018-3693 which reads the following description:
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel analysis.
The reason for its existence is the processor performance optimization conditional branches of instructions that are used to speed up application execution. This is a feature that is standard among almost all modern processors. The devised proof-of-concept attack reveals that the speculative write operations used in the Spectre 1.1 vulnerability allows information disclosure via the side channels. The code used in the attacks has been found to ignore the security bound checks hence the name of the attacks.
Within the victim domain the bug allows the malicious users to devise arbitrary code execution. According to the preliminary threat analysis a hypothetical attack can mount both local and remote targets. The researchers point out that systems that execute untrusted code bear the highest risk, this list includes all manners of containers, virtual machine and sandbox environments. Such machines are typically servers or development workstations while the remote attacks can include targets such as application data, databases, firewalls and etc.
As well as reaching out sensitive information the speculative bypass attacks are capable of presenting code that can be executed by the target machine. The write commands mechanisms are detailed in detail in the research paper.
The Spectre 1.2 vulnerability is a minor variant of the main Spectre 1.1 bug in which read/write protection is not enforced – the malicious actions depend on lazy PTE enforcement. The speculative stores are allowed to overwrite the read-only data and certain types of data. As a result all sandboxing that depends on hardware enforcement of read-only data is bypassed.
According to the conducted proof-of-concept attack the speculative execution can be used to deploy a RowHammer integrity attack and performing network attacks. RowHammer is a related side effect bug in DRAM that causes memory cells to leak sensitive data. It is distinctive from the processor-based ones (those belonging to the Spectre family of vulnerabilities) by allowing network-based attacks.
The researchers have validated that the Spectre 1.1 vulnerability affects both ARM and Intel x86 processors. As always computer users will need to rely on forthcoming OS vendor patches to amend the bug.
Response Following the Spectre 1.1 Vulnerability Discovery
Following the reports about the new bug both software and hardware vendors have commented about it.
Microsoft has updated their advisories adding in new information about the CVE-2018-3693 advisory. The company considers BCBS to belong to the same class of bugs as the first variant of Spectre. They have not been able to identify of Spectre 1.1 code in their software (as of the time of writing this article) however research into it continues. They are working with hardware partners into releasing patches that will amend the vulnerability as required.
Intel responded by publishing a revised report called “Analyzing potential bounds check bypass vulnerabilities” that gives a thorough technical explanation on Spectre 1.1. The engineers give out specific recommendations on how to mitigate the malicious code in compilers, the Linux Kernel and Microsoft Windows.
ARM‘s response included an update to their general Speculative Processor Vulnerability page that is updated live whenever a new flaw is identified. Concerning the Spectre 1.1 vulnerability the vendor has released details on mitigating Cortex-A76 processors by updating the Trusted Firmware and the Linux configuration. Concerning the Cortex-A57, Cortex-A72, Cortex-A73, and Cortex-A75 mitigation is possible by disabling a hardware feature. Non-Linux implementations can amend the bug by setting the relevant control register bits posted on the site.