Researchers from Bitdefender say Intel’s x86 and x64 are prone to SWAGS speculative execution vulnerability.

After the Spectre and Meltdown debacle last year, modern-day processors have been found to suffer from a similar vulnerability. It’s a modified form Spectre 1 vulnerability that takes advantage of speculative execution, a function found in x86 and x64 processors that anticipates and executes instructions even before specific commands are received by the system. Speculative-execution can leave information traces in-cache, allowing hackers to get in and access information stored in the protected kernel memory. 

Researchers from Bitdefender brought the issue which affects all of Intel’s x86 and x64 processors after 2012 (unless they have been patched already in a recent Microsoft update). Cyber attackers can potentially steal data from the affected CPUs’ kernel, bypassing encryption keys to guess all sorts of private data such as passwords, token sessions, and so on. In such a scenario, as long as vulnerabilities exist in the hardware, basic computer security makes no sense. 

Only x86/x64 CPUs Affected By Vulnerability

Weirdly enough, Bitdefender says that Intel had been informed about the vulnerability over a year ago. The security vendor demonstrated during the Black Hat event a Proof of Concept attack on how hackers can leverage the vulnerability (assigned CVE-2019-1125). The vulnerability makes use of the SWAPGS kernel-level instruction, first rolled out in 2012 with Ivy Bridge processors. SWAPGS in x86/x64 CPUs switches the system to begin addressing the reserved memory set aside for operating system kernels. SWAPGS vulnerability doesn’t affect systems running Linux-based operating systems, as per the research.

Interestingly, this vulnerability also allows attackers to get past any mitigation in place to stop the previous Spectre and Meltdown vulnerability which came to light in 2018 from Google Project Zero (GPZ). Also known as Speculative Store Bypass (SSB) and Rogue System Registry Read respectively, the incident caused havoc in the world of cybersecurity, pushing vendors to rollout safety patches immediately. 

Microprocessors that perform branch prediction are exposed to Spectre vulnerabilities. Such processors running on x86 or x64  architectures (the speculative execution coming from a branch misprediction) may cause discernible effects that may reveal private data to attackers. For instance, if the pattern of memory accesses done by such speculative execution relies on personal data, the resulting state of the data cache contains a side-channel using which a cybercriminal can get that private data by deploying a timing attack. 

Hackers Can Execute State Channel Attacks Using Speculative Execution 

According to Bitdefender research, speculative execution enables the CPU to execute instructions even before knowing if the actions are needed. Vulnerabilities in speculative-execution can be misused through side-channel attacks. A successful side-channel attack helps an unprivileged cyber criminal to get passed the basic memory separation enforcement by hardware meant to secure the system. The most prevalent kind of information which the criminal may get through side-channel attacks includes API keys, user passwords, or cryptographic keys as that data may help them to gain access to protected assets of a person or company. 

“While side-channel attacks have been known for some time now, speculative execution-based attacks are new, and signs indicate they will linger on for some time. To date, the most famous examples are Meltdown, Spectre, L1TF, and Microarchitectural Data Sampling (MDS), ” said Bitdefender in a whitepaper titled Bypassing KPTI Using the Speculative Behavior of the SWAPGS Instruction. 

Microsoft was quick enough to roll out the patch for the vulnerability, which it knew about in advance. “We’re aware of this industry-wide issue and have been working closely with affected chip manufacturers and industry partners to develop and test mitigations to protect our customers. We released security updates in July and customers who have Windows Update enabled and applied the security updates are protected automatically,” stated Microsoft in an advisory it published recently.

Red Hat Says AMD Chips Also Vulnerable

Red Hat, on the other hand, has stated in its blog that both Intel and AMD chips are affected by the vulnerability involving SWAPGS instruction. AMD has denied it, saying that it believes it chips not vulnerable to SWAPGS variant attack. Bitdefender also said it did not find the same when it tested two of AMD chips.

“Since the SWAPGS instruction is present only on x86-64, we don’t expect other CPU architectures, such as ARM, MIPS, POWER, SPARC or RISC-V to be vulnerable. However, we don’t exclude the existence of other similarly sensitive instructions that may execute speculatively,” said Bitdefender. 

Red Hat also cautioned its users to take necessary steps immediately before any damage is caused. For Red Hat, its Linux Containers are not directly impacted by third-party hardware vulnerabilities, but their security depends on the integrity of the host kernel environment. Red Hat has advised that users update to the most recent versions of its container images. 

“Customers are advised to take a risk-based approach to mitigate this issue. Systems that require high degrees of security and trust should be addressed first and isolated from untrusted systems until treatments can be applied to those systems to reduce the risk of exploit.” Said Red Hat. 

Outlook

The incident has brought to everyone’s attention that it’s not just the buggy software which can cause attacks to occur but the hardware itself which must be designed in a way that checks itself against potential attack mechanisms in the design phase. While this incident is still a serious matter for chip manufacturers to address, it is not going to be the next major tool for criminals on the web. 

Hackers may likely continue to stick with phishing as state channel attacks take a lot of time to gather information from the CPU. Gaining access to a password by loading different letters and digits and inferring whether they are in the password by how long it takes the system to load each letter and digit is an extremely tedious process as compared to phishing. Also, Microsoft’s prompt patch update has certainly helped close the security gap. Of course, this vulnerability is gold for state-sponsored actors who have plenty of time to launch attacks against a particular organisation with unpatched systems.