Major Intel CPU flaw OS-independent; fix could degrade performance

News by Teri Robinson

A reported chip flaw in Intel processors that has existed at least for the last 10 years allows software programs to access content in kernel memory and patching the bug.

A reported chip flaw in Intel processors that has existed at least for the last 10 years allows software programs to access content in kernel memory and patching the bug - at the operating system level in Windows, MacOS and Linux – will likely cause up to a 30 percent degradation in performance.

There is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve,” a Python Sweetness blog post noted.

"A special mechanism in Intel chips that allows reordering instruction sequences...allows increasing performance of program execution. It turns out that this mechanism does not verify access rights, resulting in the situation that any application becomes able to read data from the memory that should not be available to it,” said Max Goryachy, security researcher at Positive Technologies, who called the vulnerability “dangerous because of the bypass of a modern protection mechanism called KASLR (kernel address space layout randomisation), which simplifies hacking of modern operation systems working on Intel chipsets.”

Another use, he said, “would be to gain access to critical data, such as encryption keys, user credentials, and a lot more.”

A patch for Linux has already been released and Microsoft reportedly will patch the bug in its January Patch Tuesday release, according to a report from Hothardware.com.

Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November,” the Python Sweetness post said. “In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualisation environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.”

Vulnerabilities at this layer are uncommon and “should be taken very seriously due to the large threat surface, said Dan Hubbard, chief security architect at Lacework.

Chris Morales, head of security analytics at Vectra, said that because the flaw is OS independent, “the impact is far more reaching than just Linux, including Windows, MacOS, and virtual and cloud environments.”

The flaw in the Intel chip, he said, “is that the process used to ensure users do not have access to the kernel has a bug, allowing a user to execute code to read and access kernel level memory access, exposing critical information that would be stored there, like system passwords.” Morales acknowledged that a proof of concept that exploits the flaw had already been seen in the wild. “This flaw in the Intel chipset will impact virtual and cloud environments that load entire systems in memory, which could expose workloads to other systems and applications that share the same hardware,” he said.

Indeed, it appears that Amazon and others might be taking steps to protect their cloud offerings. “Amazon just sent a notice about a major security update and EC2 is scheduled to reboot this Friday,” said Morales. The notice said a maintenance window had been scheduled for “important security and operational updates” to Amazon EC2, which “will automatically perform the required reboot” and render the affected EC2 instances unavailable.

“If the Azure and Amazon reboots are related to the Intel flaw, it would demonstrate how far reaching the impact is,” said Morales. “A phrase like ‘the cloud is rebooting' is not something that anyone has had to say before and it reminds me of the kind of far reaching impact that Y2K was feared to have had.”

Jason Kent, CTO at AsTech, said while there is a proof of concept in the wild, “major news around this shouldn't be another flaw” but rather that “the patch seems to have some major impact on system performance.”

That could mean it's “an old bug resurfacing (regression) or it could be the new way to protect the system is much more heavy and causes degradation,” he said.  

Morales said the flaw should serve as “a wake-up call to enterprises that they need to think differently about cloud security” because it “could provide a ‘side-door' for an attacker to enter from an adjacent cloud service rather than launch a frontal assault on your enterprise applications running in the cloud.”

Users shouldn't simply wait for vendors to build a fix, instead they “should be deploying mitigating controls to protect their infrastructure and key assets.” For public cloud that means “having the appropriate visibility and detection to identify possible exploits that may lead to significant breaches,” he said.

AsTech's Kent said, members of the Linux community “need to be extra mindful on this and not just patch and hope for the best.”

Implementing the fix for the vulnerability “is going to need lots of monitoring to ensure the applications running on those devices are not suddenly unable to work with a standard workload,” he said. “This could have wide implications of doubt being cast on Vulnerability Management programs in general as well as how open source might be viewed ‘those Linux servers are slow' is a possible outcome.”

Mike Buckbee, security engineer at Varonis comments: “This vulnerability makes it theoretically possible to open up the end user's device and rummage through the computer's memory. For example, a JavaScript application running in a browser on a website could potentially access your computer's kernel memory and rip through any information held there. While it's unlikely there would be full files stored there, it's very possible it would find bits and pieces of valuable data, like SSH keys, security tokens and even passwords.  

To counteract the threat, patches for all operating systems are in the works. These patches “scramble” how kernel memory is stored, making it impossible for applications to exploit the flaw.

While all the details are not available at this point, from what is known, this vulnerability can be considered a threat: it could allow for credential theft or other privilege escalation exploits. In this respect, while potentially dire, it's very similar to an insider threat or admin data breach. Organisations need to layer multiple levels of protection to build defensive depth in their networks and applications.”

Ido Naor, senior security researcher, GReAT at Kaspersky Lab commented: “Two severe vulnerabilities have been discovered in Intel chips, both of which could enable attackers to seize sensitive information from apps by accessing the core memory. The first vulnerability, Meltdown can effectively remove the barrier between user applications and the sensitive parts of the operating system.  The second vulnerability, Spectre, also found in AMD and ARM chips can trick vulnerable applications into leaking their memory contents.

“Applications installed on a device generally run on ‘user mode', away from the more sensitive parts of the operating system.  If an app needs access to a sensitive area, for example the underlying disc, network or processing unit, it needs to ask permission to use ‘protected mode'.  In Meltdown's case, an attacker could access protected mode and the core memory without requiring permission, effectively removing the barrier – and enabling them to potentially steal data from the memory of running apps, such as data from password managers, browsers, emails, and photos and documents.

“As they are hardware bugs, patching is a significant job. Patches against Meltdown have been issued for Linux, Windows and OS X, and work is underway to strengthen software against future exploitation of Spectre. Intel has a tool you can use to check if your system is vulnerable to the bugs and Google has published further information here.  It is vital that users install any available patches without delay. It will take time for attackers to figure out how to exploit the vulnerabilities – providing a small but critical window for protection.”

Topics:
Security Security

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events