CPU manufacturers are facing two new variations of Spectre side-channel attack vulnerabilities, after two security researchers published details surrounding their discovery of Spectre 1.1 and 1.2.
Like their predecessors, these latest two bugs surface during the speculative execution process -- except neither of them are currently solved by recently introduced patches and mitigations.
According to Vladimir Kiriansky of MIT and independent researcher Carl Waldspurger, who last week published a paper on their joint findings, the exploitation of variant 1.1 (CVE-2018-3693) can result in theft of sensitive information, while variant 1.2 (no CVE number yet) can be leveraged to overwrite read-only data and code pointers in order to breach sandboxes. What's worse, the researchers warn that "no effective static analysis or compiler instrumentation is available to generically detect or mitigate Spectre 1.1."
Like many of their predecessors, variants 1.1 and 1.2 affect Intel and ARM processors and most likely AMD processors. Described as a bounds check bypass on stores, Spectre 1.1 is described by the paper as a minor variant of Spectre 1 that "leverages speculative stores to create speculative buffer overflows," thereby allowing attackers to access protected CPU memory. Meanwhile, the researchers describe Spectre 1.2 as "a minor variant of Spectre-v1 which depends on lazy PTE enforcement, similar to Spectre-v3."
While this is concerning, a security advisory published by eSentire Threat Intelligence notes that malicious code must already be present on the system for the bugs to be exploited. "The complexity and requirement of previous infection make the weaponisation of these vulnerabilities unlikely in the near future," the advisory states.
In related news, Republican Greg Walden, chairman of the US House Committee on Energy and Commerce, and John Thune, chairman of the Senate Committee on Commerce, Science & Transportation, jointly sent a letter yesterday to the Software Engineering Institute's CERT Coordination Center at Carnegie Mellon University expressing concerns over how the common vulnerability disclosure process can be improved, following Spectre and Meltdown.
Citing feedback they received from companies involved in the Spectre/Meltdown disclosure process, Walden and Thune listed several concerns, including inadequate and untimely coordination between the researchers and US-CERT, as well as misleading terminology in the way some companies announce patches (i.e. implying that the patches have actually been applied, when they are actually simply available, but not yet in place).
In their correspondence, the legislators ask that the CERT/CC -- whom they describe as a leading evangelist of best practices -- consider these concerns and update its recommended policies and procedures accordingly, including those listed in its CERT Guide to Vulnerability Disclosure.