Deja-wooo-oooh! Intel chips running Windows potentially vulnerable to scary Spectre variant

SWAPGS can be abused to siphon sensitive secrets from kernel memory, patches already available

Spectre – a family of data-leaking side-channel vulnerabilities arising from speculative execution that was disclosed last year and affects various vendors' chips – has a new sibling that bypasses previous mitigations.

Designated CVE-2019-1125 and rated moderate in terms of severity, the issue – limited primarily to Intel x86-64 systems running Windows – could allow a local attacker to work around protections like kernel address space isolation to read sensitive kernel memory. AMD's 64-bit x86 processors running Windows are also affected, though to a much lesser extent.

All in all, this means, as usual, malware, malicious JavaScript in a browser, or rogue users on a vulnerable system could potentially swipe secrets such as passwords and encryption keys out of RAM. Applications can snoop on other applications, code in virtual machines can spy on other virtual machines, and so on.

Note that Spectre vulnerabilities are not, to the best of our knowledge, being exploited in the wild by any software nasties, mainly because they are too much of a faff to abuse when there are easier and better bugs to abuse. As such, this latest discovery is primarily another fascinating look into the world of processor design and its shortcuts and blunders.

According to security biz BitDefender, whose researchers found the flaw, a hardware fix isn't viable and the issue has to be addressed at the operating system level. The outfit has dubbed the flaw "SWAPGS Attack," and illustrated its inner workings here.

As Red Hat explains in its write-up, SWAPGS refers to a system instruction that, as its name suggests, "swap[s] the current user space value of 'GS' (a memory segment register) with the value intended to be used during kernel operations." It's available only in 64-bit mode on x86 chips.

SWAPGS doesn't validate its value and therein lies the problem. "As a result," Red Hat says, "it is possible that these conditional branches in the Linux kernel entry code may mis-speculate into code that will not perform the SWAPGS, resulting in a window of speculative execution during which the wrong GS is used for dependent memory operations."

Such mis-speculation may then be revealed through side-channel timing analysis, resulting in the gradual disclosure of kernel memory.

The vulnerability affects Windows, including virtual machines running on it. Linux is theoretically vulnerable in that it contains a gadget (a specific construction of machine code) that could be used in a potential attack. However, BitDefender notes that the gadget lies within the Linux kernel's non-maskable interrupt (NMI) handler and would therefore be difficult, if not impossible, to attack. Apple hardware isn't believed to be affected.

A ghost

Data-spewing Spectre chip flaws can't be killed by software alone, Google boffins conclude


Microsoft quietly patched its Windows operating system on July 9, and on Tuesday this week published an advisory to that effect. Its software revision limits how the CPU speculatively accesses memory.

"To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application," Microsoft said in its advisory. "The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further."

Red Hat – though it insists it isn't aware of any way to exploit this vulnerability on Linux kernel-based systems – has patched its Enterprise Linux versions 5-8, Atomic Host, Enterprise MRG 2, OpenShift Online v3, Red Hat Virtualization, Red Hat OpenStack Platform and Red Hat OpenShift Container Platform 4. The company insists its fix has only "a minimal performance impact" that doesn't show up in current benchmarks.

Neither AMD nor Intel plan to issue microcode updates because they believe the vulnerability can be adequately addressed in software.

Intel, in a statement provided to The Register, said Microsoft's patch resolved the problem, which applies to x86-64 chips since Ivy Bridge (2012). "Intel, along with industry partners, determined the issue was better addressed at the software level and connected the researchers to Microsoft," the chipmaker said. "It takes the ecosystem working together to collectively keep products and data more secure and this issue is being coordinated by Microsoft."

AMD is even less concerned.

"Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS," AMD said in a statement on its website. "For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1."

BitDefender's white paper describes two attack scenarios: when SWAPGS is not getting executed speculatively though it should, and when SWAPGS is getting speculatively executed but shouldn't.

Each of these has two variants: where the attacker tests if a value is located at a specific kernel address and where the attacker infers the value at a randomly selected kernel address. It's only this second variant of the second attack scenario that pertains to AMD. ®

Broader topics

Other stories you might like

  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • AMD bests Intel in cloud CPU performance study
    Overall price-performance in Big 3 hyperscalers a dead heat, says CockroachDB

    AMD's processors have come out on top in terms of cloud CPU performance across AWS, Microsoft Azure, and Google Cloud Platform, according to a recently published study.

    The multi-core x86-64 microprocessors Milan and Rome and beat Intel Cascade Lake and Ice Lake instances in tests of performance in the three most popular cloud providers, research from database company CockroachDB found.

    Using the CoreMark version 1.0 benchmark – which can be limited to run on a single vCPU or execute workloads on multiple vCPUs – the researchers showed AMD's Milan processors outperformed those of Intel in many cases, and at worst statistically tied with Intel's latest-gen Ice Lake processors across both the OLTP and CPU benchmarks.

    Continue reading
  • Intel says Sapphire Rapids CPU delay will help AMD catch up
    Our window to have leading server chips again is narrowing, exec admits

    While Intel has bagged Nvidia as a marquee customer for its next-generation Xeon Scalable processor, the x86 giant has admitted that a broader rollout of the server chip has been delayed to later this year.

    Sandra Rivera, Intel's datacenter boss, confirmed the delay of the Xeon processor, code-named Sapphire Rapids, in a Tuesday panel discussion at the BofA Securities 2022 Global Technology Conference. Earlier that day at the same event, Nvidia's CEO disclosed that the GPU giant would use Sapphire Rapids, and not AMD's upcoming Genoa chip, for its flagship DGX H100 system, a reversal from its last-generation machine.

    Intel has been hyping up Sapphire Rapids as a next-generation Xeon CPU that will help the chipmaker become more competitive after falling behind AMD in technology over the past few years. In fact, Intel hopes it will beat AMD's next-generation Epyc chip, Genoa, to the market with industry-first support for new technologies such as DDR5, PCIe Gen 5 and Compute Express Link.

    Continue reading
  • AMD to end Threadripper Pro 5000 drought for non-Lenovo PCs
    As the House of Zen kills off consumer-friendly non-Pro TR chips

    A drought of AMD's latest Threadripper workstation processors is finally coming to an end for PC makers who faced shortages earlier this year all while Hong Kong giant Lenovo enjoyed an exclusive supply of the chips.

    AMD announced on Monday it will expand availability of its Ryzen Threadripper Pro 5000 CPUs to "leading" system integrators in July and to DIY builders through retailers later this year. This announcement came nearly two weeks after Dell announced it would release a workstation with Threadripper Pro 5000 in the summer.

    The coming wave of Threadripper Pro 5000 workstations will mark an end to the exclusivity window Lenovo had with the high-performance chips since they launched in April.

    Continue reading
  • Cisco dials back on hiring, cool winds blow through economy
    'I think it is a time for everyone to be prudent' says networking giant's CFO

    Networking kingpin Cisco is hiring more cautiously to indicate that it, like many peers, is taking note of macroeconomic red flags.

    "It's a time to be prudent," Richard Scott Herren, Cisco senior veep and chief financial officer told the Nasdaq Investor Conference. "I think it is a time for everyone to be prudent… so we're doing the same."

    The hot spots – or the "highest priority items for us" – including security, will continue to see investments in headcount, he said.

    Continue reading
  • AMD touts big datacenter, AI ambitions in CPU-GPU roadmap
    Epyc future ahead, along with Instinct, Ryzen, Radeon and custom chip push

    After taking serious CPU market share from Intel over the last few years, AMD has revealed larger ambitions in AI, datacenters and other areas with an expanded roadmap of CPUs, GPUs and other kinds of chips for the near future.

    These ambitions were laid out at AMD's Financial Analyst Day 2022 event on Thursday, where it signaled intentions to become a tougher competitor for Intel, Nvidia and other chip companies with a renewed focus on building better and faster chips for servers and other devices, becoming a bigger player in AI, enabling applications with improved software, and making more custom silicon.  

    "These are where we think we can win in terms of differentiation," AMD CEO Lisa Su said in opening remarks at the event. "It's about compute technology leadership. It's about expanding datacenter leadership. It's about expanding our AI footprint. It's expanding our software capability. And then it's really bringing together a broader custom solutions effort because we think this is a growth area going forward."

    Continue reading

Biting the hand that feeds IT © 1998–2022