CPU chip manufacturers are facing a brand new onslaught of Spectre speculative execution vulnerabilities, some of which could be disclosed as soon as Monday, May 7, German technology news outlet c’t has reported.
According to c’t, the eight flaws have already been confirmed to affect CPUs manufactured by Intel Corporation, and may possibly also impact chips from ARM and AMD. Intel is reportedly planning to release patches in two phases — the first in May and the second in August.
“Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers,” said Leslie Culbertson, EVP and general manager of product assurance and security at Intel, in a May 3 press release addressing the new findings. “We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.”
The new vulnerabilities, which c’t collectively refers to as Spectre Next Generation (Spectre-NG), appear to be similar to the older ones in that, when left unpatched, they can be exploited to steal sensitive information via a side-channel attack that uses a low-privilege application to read the memory of another, more secured application.
This time, however, one of the bugs appears to be significantly more dangerous than its predecessors because, according to c’t, attackers can easily exploit it to attack a virtual machine, and then use it as a jumping-off point to subsequently attack its host system, or even other customers’ VMs operating on the same server. Cloud-based service providers, host systems and servers are especially threatened, c’t reports — and Intel’s Software Guard Extensions (SGX) will not shield cloud systems from the danger.
“Assuming they prove to be legitimate, the group of vulnerabilities coined as Spectre-NG may pose significantly higher risks to cloud operators and multi-tenant environments than the original variants of Spectre,” said Craig Dods, Chief Security Architect at Juniper Networks, in emailed comments. “The information provided to the German technology site… seems to imply that a few of the eight new vulnerabilities facilitate VM-escape mechanisms, allowing a threat actor to compromise the hypervisor and/or other tenants from their own VM, apparently with little-to-no effort.”
The c’t article says that multiple teams of researchers were involved in reporting the new bugs to Intel, including Google Project Zero, which follows a strict 90-day public disclosure policy for newly discovered vulnerabilities. Based on this timeline, Google could reveal details on one of the vulnerabilities as soon as May 7. It was Project Zero, alongside several other groups of independent and academic researchers, who revealed the previous set of Spectre (and Meltdown) vulnerabilities on Jan. 3 of this year.
Microsoft reportedly is also developing patches that will be distributed in the form of Windows updates, as opposed to microcode updates.
“It’s almost inevitable that new variants of Spectre will emerge,” said Satya Gupta, CTO and co-founder of Virsec, in comments. “Now that the core vulnerabilities of speculative execution have been publicized, many well-funded hacking groups globally are racing to find new ways to exploit them. These are advanced attacks exploiting small, but repeatable flaws that skip important security controls in literally billions of processors. While not all applications will be vulnerable and some compensating controls will be effective, the attackers are relentless and will continuously search for cracks in other defenses that allow Spectre to be exploited.”