UPDATE

Intel is grappling with what many experts are describing as a processor design flaw impacting CPUs used in Linux, Windows and some macOS systems. The reported flaw is tied to Intel’s kernel virtual memory system that could allow an attacker to access kernel-protected data such as passwords and login keys, according to researchers.

The impact of this type attack on Intel chips is far reaching, affecting Intel endpoint computers, but also cloud computing environments such as Amazon EC2, Microsoft Azure and Google Compute Engine, according to an analysis of the flaw by a developer blogging at Python Sweetness.

Intel said in a statement on Wednesday:

“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data.”

“Recent reports that these exploits are caused by a ‘bug’ or a ‘flaw’ and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.”

Some details outlining how the attack method affects the Linux kernel have been made public, however a complete analysis of the technique is being withheld pending an embargo. Microsoft and other stakeholders are expected to reveal technical details of the so-called flaw later this month.

“Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports,” Intel said in its statement.

Initially, Intel did not return requests for comment. In a statement posted to its website Wednesday it continued:

“Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively. Intel has begun providing software and firmware updates to mitigate these exploits.”

Mitigating these type of processor attacks requires programmers to overhaul both the Linux and NT kernel’s virtual memory system. Microsoft introduced patches to beta testers of its Windows operating system in November and December. Microsoft is expected to rollout patches for the flaws next week during its Patch Tuesday security update.

Security patches addressing the exploits in the Linux kernel were pushed last week. Apple’s 64-bit macOS, will also need to be updated, according to reports.

Patches will have tradeoffs and impact Intel CPU performance by as much as five to 30 percent depending on the workload, said Python Sweetness.

“In the worst case the software fix causes huge slowdowns in typical workloads. There are hints the attack impacts common virtualization environments including Amazon EC2 and Google Compute Engine, and additional hints the exact attack may involve a new variant of Rowhammer,” wrote the Python Sweetness developer.

In its statement, Intel countered, “contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.”

Still other researchers, such as Max Goryachy, security researcher at Positive Technologies, don’t believe a patch can fully mitigate the problem. “This problem could be completely fixed only in new chip versions,” he said.

As of Wednesday, the exploit doesn’t have an official name. However, researchers are calling patches that address the flaws KPTI (Kernel Page Table Isolation) and KAISER (Kernel Address Isolation to have Side-channels Efficiently Removed). This issue impacts any systems with Intel CPUs, including Apple products that use Intel CPUs, said Embedi security researcher Alexander Ermolov.

The CPU design “flaw” is tied to how the Intel processor manages memory between “kernel mode” and “user mode.” Specifics of the exploit have yet to be released, but an article by The Register delves into some of the details.

According to the report, the technique “allows normal user programs – from database applications to JavaScript in web browsers – to discern to some extent the layout or contents of protected kernel memory areas.”

Developers separate the kernel’s memory from the userland process using a Kernel Page Table Isolation (KPTI). “These KPTI patches move the kernel into a completely separate address space, so it’s not just invisible to a running process… this shouldn’t be needed, but clearly there is a flaw in Intel’s silicon that allows kernel access protections to be bypassed in some way,” The Register wrote.

“Whenever a running program needs to do anything useful – such as write to a file or open a network connection – it has to temporarily hand control of the processor to the kernel to carry out the job. To make the transition from user mode to kernel mode and back to user mode as fast and efficient as possible, the kernel is present in all processes’ virtual memory address spaces, although it is invisible to these programs. When the kernel is needed, the program makes a system call, the processor switches to kernel mode and enters the kernel. When it is done, the CPU is told to switch back to user mode, and reenter the process. While in user mode, the kernel’s code and data remains out of sight but present in the process’s page tables,” The Register writes.

The KPTI technique takes advantage of the way the Intel processor switches address spaces, dumps cached data and reloads information from memory.

“It is possible the bug could be abused to defeat KASLR: kernel address space layout randomization. This is a defense mechanism used by various operating systems to place components of the kernel in randomized locations in virtual memory. This mechanism can thwart attempts to abuse other bugs within the kernel: typically, exploit code – particularly return-oriented programming exploits – relies on reusing computer instructions in known locations in memory,” according to the report.

The attack method allows an adversary to predict where data and code is stored and positioned in memory by the kernel. Predict the location, and an attacker could circumvent the wall between userland and the kernel allowing the adversary to launch malware, steal data, manipulate hardware and eavesdrop on network traffic.

Because the attack scenario requires an attacker to already have a foothold on the targeted system, the risk is not considered critical when it comes to laptops and desktop clients. But for virtual machines, where the kernel serves to keep multiple users and programs apart the risks are considered much higher.

Because the attack is specific to Intel processors, rival chip maker AMD’s CPUs are not impacted by the issue, according to AMD Linux kernel developer Tom Lendacky. He wrote in a recent Linux Kernel Mailing List message: “AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”

(This article was updated 1/3/2018 to reflect and include Intel’s statement.)

Categories: Cloud Security, Hacks, Vulnerabilities

Comments (8)

  1. William
    2

    That is the biggest detail we do not know yet. Based on my own research so far, I am guessing at least haswell on back to the original core series and maybe further back. Speculative prediction has been around for more than a decade.

    Reply
  2. Anonymous
    3

    Getting tons of notices from Microsoft entitled “Accelerated maintenance to address CPU vulnerability in your subscription”. They’re accelerating emergency reboots previously scheduled Jan 10 to…. NOW. Production systems and all.

    Reply
  3. GM
    4

    Didn’t Firefox state this could be exploited remotely through a browser? Workstations and laptops seem to be at risk if so..

    Reply
  4. Alan H Henderson`
    5

    Some have gone so far as to say anything made after 1995. This is a flaw that has been buried for quite some time. It sounds a lot like this video. Old news but it sounds real similar. Some decision made years ago and then built upon later comes back to bite us. Search YouTube for The Memory Sinkhole – Unleashing An X86 Design Flaw Allowing Universal Privilege Escalation.

    Reply
    • Tom Spring
      7

      Hi Kasparov,

      Yes it is… You should pay attention to available new patches being sent to your computer or mobile device.

      Reply
  5. Randomnamefail
    8

    In case anyone else has questions about what devices are impacted by these flaws let me say there are no exceptions. If it has a CPU and was made after 1995 then you have updates coming and you should be watching for them. It doesn’t matter what your OS is or who the CPU manufacturer was. AMD insists they are not affected but some researchers disagree and discribe AMD’s response as being like a bank claiming their security is fine because the glass front door is locked while the vault is wide open. It is so much simpler to assume you have a problem than to try and figure out if you’re one of the lucky few.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>