An update to this post is available here.

A fundamental chip–level design flaw in the Intel processor chip is leading a significant redesign of the Linux, Windows and XNU kernels. In other words, the processor is vulnerable, but the fix is at the operating system level.

The solution is to separate the kernel’s memory completely from user processes, using kernel page table isolation (KPTI). The Intel vulnerability is forcing changes in both Linux, Windows and macOS.

As of the publishing of this post, there is no CVE or name assigned to the issue. According to The Register, the name “Forcefully Unmap Complete Kernel With Interrupt Trampolines” was floated by the Linux kernel team — doing the math on the abbreviation will give you a sense of how developers feel about the flaw.

What Does the Intel Processor Chip Vulnerability Affect?

Intel x86 and x64 processor chips, and is likely to affect all versions (the exact details of the vulnerability have been embargoed, presumably wanting to limit information before a patch is released). The vulnerability is presumed to be present on every Intel processor chip produced in the last decade.

What is the Impact?

The Intel vulnerability allows any application running on a user–level mode to access protected kernel memory areas, which could allow information disclosure to an authenticated attacker with access to the machine, as well as code execution. While this doesn’t sound like the worst possible outcome, it becomes especially dangerous in shared public cloud servers as it could reveal passwords, login keys, etc.

What is the Real Threat?

A proof–of–concept pseudo–code of the exploit was already published on Twitter on 1 Jan 2018. We will not repost for obvious reasons, but the gist of the threat is below.

The Intel vulnerability can be abused to defeat the kernel address space layout randomization (KASLR), a defense mechanism to place components of the kernel in randomized locations in virtual memory. This mechanism can be abused to ensure a malicious payload will be executed on the affected machine.

While the Intel vulnerability is still a potential threat and has not been observed as exploited in the wild, the amount of details available and the scramble to patch are cause for alarm.

What Should be Fixed?

  • Linux kernel: some information exists on the upcoming patch, but full fixes from the Linux distributers, such as RedHat and Unbuntu, are still to come
  • Microsoft Windows OS: Fixes are expected to be released imminently, unless held for the upcoming Patch Tuesday (January 9)
  • MacOS: The release of 10.13.2 contains at least a partial fix to the chip–level flaw
  • Amazon EC2, Microsoft Azure and Google Compute Engine have notified customers about a major security updates

The Cost of the Fix

As the Intel vulnerability is significant design flaw, fixing it will probably lead to a performance degradation of anywhere from 5 to 30 percent, depending on the processor’s model and the OS task taking place.

The “usual” security patches have no documented/previously published costs. But for enterprises trying to prioritize their backlog of patches, understanding clearly how the vulnerability affects performance could be crucial.

 

Skybox will update the details for the Intel vulnerability as they become available, and will update patch info in our intelligence feed. Keep up with the latest at Skybox Vulnerability Center.

 

Related Posts

Apple Vulnerability Allows Root Login Without Password: A high–profile Apple vulnerability in MacOS High Sierra allows anyone to login as root without any password

KRACK Targets WPA2 Protocol Putting Millions of Devices at Risk: Researchers’ POC of KRACK, a key reinstallation attack on WPA2 protocols, impacts all modern protected Wi–Fi networks