A reported chip flaw in Intel processors that has existed at least for the last 10 years allows software programs to access content in kernel memory, and patching the bug – at the operating system level in Windows, MacOS and Linux – will likely cause up to a 30 percent degradation in performance.
“There is presently an embargoed security bug impacting apparently all contemporary CPU architectures that implement virtual memory, requiring hardware changes to fully resolve,” a Python Sweetness blog post noted.
“A special mechanism in Intel chips that allows reordering instruction sequences...allows increasing performance of program execution. It turns out that this mechanism does not verify access rights, resulting in the situation that any application becomes able to read data from the memory that should not be available to it,” said Max Goryachy, security researcher at Positive Technologies, who called the vulnerability “dangerous because of the bypass of a modern protection mechanism called KASLR (kernel address space layout randomization), which simplifies hacking of modern operation systems working on Intel chipsets.”
Another use, he said, “would be to gain access to critical data, such as encryption keys, user credentials, and a lot more.”
A patch for Linux has already been released and Microsoft reportedly will patch the bug in its January Patch Tuesday release, according to a report from Hothardware.com.
“Urgent development of a software mitigation is being done in the open and recently landed in the Linux kernel, and a similar mitigation began appearing in NT kernels in November,” the Python Sweetness post said. “In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer.”
Vulnerabilities at this layer are uncommon and “should be taken very seriously due to the large threat surface, said Dan Hubbard, chief security architect at Lacework.
Chris Morales, head of security analytics at Vectra, said that because the flaw is OS independent, “the impact is far more reaching than just Linux, including Windows, MacOS, and virtual and cloud environments.”
The flaw in the Intel chip, he said, “is that the process used to ensure users do not have access to the kernel has a bug, allowing a user to execute code to read and access kernel level memory access, exposing critical information that would be stored there, like system passwords.” Morales acknowledged that a proof of concept that exploits the flaw had already been seen in the wild. “This flaw in the Intel chipset will impact virtual and cloud environments that load entire systems in memory, which could expose workloads to other systems and applications that share the same hardware,” he said.
Indeed, it appears that Amazon and others might be taking steps to protect their cloud offerings. “Amazon just sent a notice about a major security update and EC2 is scheduled to reboot this Friday,” said Morales. The notice said a maintenance window had been scheduled for “important security and operational updates” to Amazon EC2, which “will automatically perform the required reboot” and render the affected EC2 instances unavailable.
“If the Azure and Amazon reboots are related to the Intel flaw, it would demonstrate how far reaching the impact is,” said Morales. “A phrase like ‘the cloud is rebooting' is not something that anyone has had to say before and it reminds me of the kind of far reaching impact that Y2K was feared to have had.”
Jason Kent, CTO at AsTech, said while there is a proof of concept in the wild, “major news around this shouldn't be another flaw” but rather that “the patch seems to have some major impact on system performance.”
That could mean it's “an old bug resurfacing (regression) or it could be the new way to protect the system is much more heavy and causes degradation,” he said.
Morales said the flaw should serve as “a wake-up call to enterprises that they need to think differently about cloud security” because it “could provide a ‘side-door' for an attacker to enter from an adjacent cloud service rather than launch a frontal assault on your enterprise applications running in the cloud.”
Users shouldn't simply wait for vendors to build a fix, instead they “should be deploying mitigating controls to protect their infrastructure and key assets.” For public cloud that means “having the appropriate visibility and detection to identify possible exploits that may lead to significant breaches,” he said.
AsTech's Kent said members of the Linux community “need to be extra mindful on this and not just patch and hope for the best.”
Implementing the fix for the vulnerability “is going to need lots of monitoring to ensure the applications running on those devices are not suddenly unable to work with a standard workload,” he said. “This could have wide implications of doubt being cast on Vulnerability Management programs in general as well as how open source might be viewed ‘those Linux servers are slow' is a possible outcome.”