In January 2018, chip-level design flaws — dubbed Spectre and Meltdown — in Intel processors made headlines as they affected every Intel chip for the last decade. The vulnerabilities could allow any application running on a user-level mode to access protected kernel memory areas. The next day, researchers announced Spectre (CVE-2017-5753 and CVE-2017-5715) was present in almost every microprocessor released since 1995 that perform branch prediction, including those from Intel as well as Arm and AMD.
New Spectre Variants
Since then, new waves of Spectre vulnerabilities have emerged — one in May with the Spectre 4 variant disclosure and two more last week — perhaps thanks to Intel’s $100,000 bounty for related flaws. These latest variants (a.k.a. Spectre 1.1 and Spectre 1.2) are subcategories of the first variant which was introduced in January.
Spectre 1.1 has been assigned with CVE-2018-3693. It leverages speculative stores to create speculative buffer overflows. Spectre 1.2, which does not have a new CVE as for the moment, is a minor version of Spectre 1.1 and relies on “lazy enforcements” of read/write protections.
ARM and Intel confirmed that their chips are affected by the new vulnerabilities, but AMD has not published anything about its processors. AMD was vulnerable to previous variants of Spectre, so it’s likely vulnerable to Spectre 1.1 and Spectre 1.2.
According to the two researchers who discovered the flaws, exploiting Spectre 1.1 uses speculative execution to deliver code that overflows CPU store cache buffers in order to write and run malicious code that retrieves data from previously-secured CPU memory sections.
As for 1.2, the researchers claim that the bug can be exploited to write to CPU memory sectors that are normally protected by read-only flags.
Mitigating the Threat
While investigations are still underway as to the impact of the chip-level flaws, Intel published a whitepaper to analyze the processes of handling Meltdown and Spectre flaws. The whitepaper contains detailed information on how developers can inspect and modify their source code to mitigate the vulnerability at the app or software level. The recommend approach to deal with the latest variants are the same as for the original flaw; however, it doesn’t actually fix the flaw.
A vulnerability at the chip level requires either replacement of the hardware or changing the commands the operating system sends to the microprocessor. In other words, addressing the vulnerabilities requires an install a Windows, Linux or Mac OS patch.
During the first outbreak, Microsoft released their OS patch quickly, even though it took a few attempts to get it right. For the 1.1 and 1.2 variants, though, they say they’re not vulnerable.
As for Red Hat, they’ve confirmed their Enterprise Linux Servers versions 5, 6, 7 and MRG2 are affected by the new Spectre variants, but an RHSA advisory with the actual patch has not yet been released — stay tuned.
Should I be Worried?
At the beginning of 2018, the Spectre vulnerabilities made a lot of noise, and they introduced a new attack vector mostly relevant for public cloud and VM environments. It was also shown that exploiting these could be done remotely, via a web browser, or by an unauthenticated user.
Headlines asides, we have not seen a mass-scale attack exploiting these vulnerabilities. But as sample exploit code for some of the variants has been publicly available for months, that could change at any moment.
Speculative Store Buffer Bypass, Rogue System Register Read: Bug bounties pay off, uncovering two more side-channel flaws in the wake of Meltdown and Spectre
Meltdown, Spectre Reach Beyond Intel as Vendors Release Patches: CPU information disclosure vulnerabilities affect AMD and Arm as well as Intel microprocessors
Intel Vulnerability at Processor Chip-Level Will Affect Performance: The Intel vulnerability requires an OS–level patch to Linux, Windows and macOS, slowing down machines by up to 30 percent