Intel will today disclose three more vulnerabilities in its processors that can be exploited by malware and malicious virtual machines to potentially steal secret information from computer memory.
These secrets can include passwords, personal and financial records, and encryption keys. They can be potentially lifted from other applications and other customers' virtual machines, as well as SGX enclaves, and System Management Mode (SMM) memory.
SGX is Intel's technology that is supposed to protect these secrets from snooping code. SMM is your computer'shidden janitor that has total control over the hardware, and total access to its data.
Across the board, Intel's desktop, workstation, and server CPUs are vulnerable. Crucially, they do not work as documented: where their technical manuals say memory is protected, it is not.
It is the clearest example yet that, over time, Chipzilla's management traded security for speed: their processors execute software at a screaming rate, with memory protection mechanisms a mere afterthought. In the the pursuit of ever increasing performance, defenses to protect people's data became optional.
Redesigned processors without these speculative execution design blunders are expected to start shipping later this year. Mitigations in the form of microcode updates, operating system patches, and hypervisor fixes, should be arriving, and should be installed if you're worried about malware or malicious virtual machines slurping data.
These are the three cockups, which Intel has dubbed the L1 Terminal Fault (L1TF) bugs.CVE-2018-3615: This affects Software Guard Extensions (SGX), and was discovered by various academics who will reveal their findings this week at the Usenix Security Symposium. According to Intel, "Systems with microprocessors utilizing speculative execution and software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis." This vulnerability was named Foreshadow by the team who covered it. CVE-2018-3620: This affects operating systems and SMM. According to Intel, "Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis." CVE-2018-3646: This affects hypervisors and virtual machines. According to Intel, "Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis."
The operating system and hypervisor-level flaws CVE-2018-3620 and CVE-2018-3646 were discovered by Intel's engineers after they were tipped off about CVE-2018-3615, the SGX issue, by the university researchers. The impact, according to Chipzilla, is as follows:
Malicious applications may be able to infer the values of data in the operating system memory, or data from other applications.
A malicious guest virtual machine (VM) may be able to infer the values of data in the VMM’s memory, or values of data in the memory of other guest VMs.
Malicious software running outside of SMM may be able to infer values of data in SMM memory.
Malicious software running outside of an Intel SGX enclave or within an enclave may be able to infer data from within another Intel SGX enclave.
Intel has a technical white paper, here , with more information, and an FAQ here .
Finally, it must be said that no malware, to the best of our knowledge, is exploiting the related Meltdown and Spectre flaws , nor the aforementioned speculative-execution vulnerabilities partly because mitigations are rolling out across the industry, and partly because there are easier ways to hack people.
It is easier to trick someone into entering their online banking password into a bogus website than developing malicious software that tickles the underlying hardware in such a specific way to slowly extract secrets from memory. In a warped way, we should be thankful for that.
Developing... this story will be updated with more information.