New SWAPGS Side-Channel Attack Bypasses Spectre and Meltdown Defenses

Researchers demonstrate a new side-channel attack that bypass mitigations against Spectre and Meltdown.

Millions of newer Intel microprocessors manufactured after 2012 are vulnerable to a new type of side-channel attack dubbed SWAPGS.

SWAPGS is similar to existing side-channel attacks such as Spectre and Meltdown and similarly could allow a hacker to gain access to sensitive data such as passwords and encryption keys on consumer and enterprise PCs.

“This newly disclosed attack bypasses all known mitigation mechanisms implemented in response to Spectre and Meltdown,” wrote security researchers at Bitdefender that discovered the flaw and developed a way of exploiting it in Intel chips.

Affected systems are those systems running Intel CPUs with the performance-enhancing speculative execution feature that optimizes systems by executing instructions before they are actually needed. One of those CPU-level instructions is called SWAPGS, from which the attack is named.

In order to exploit the vulnerability an attacker would need a preexisting foothold on the targeted system and gain access to data stored in memory, Bitdefender researchers said. The flaw is being tracked as CVE-2019-1125 and in July Microsoft released a bundled security patch that apply a software fix to the flaw.

“To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further,” Microsoft said in an advisory.

Bypassing Existing Mitigations

“Currently, all the side-channels noted (hardware, software and microcode) are mitigated… We present a novel side-channel attack which bypasses all known mitigations by abusing a poorly-documented behavior of a system instruction called SWAPGS. The newly discovered side-channel allows an attacker to leak some portions of the kernel memory space, which would normally be protected by KPTI,” researchers wrote.

Kernel page-table isolation (KPTI) is a Linux kernel feature that mitigates the Meltdown security vulnerability, describes Wikipedia.  It also is designed to improve “kernel hardening against attempts to bypass kernel address space layout randomization. It works by better isolating user space and kernel space memory.”

Red Hat has also published an advisory and is urging its users to update their Linux kernel. Google is also alerting its users to the SWAPGS vulnerability and issuing fixes for ChromeOS 4.19 and Android 4.19.

Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.

Suggested articles