Spectre and Meltdown Flaws: Two More Variants DiscoveredMore CPU Flaws Found in Intel, AMD, ARM and IBM Power Processors
Researchers have discovered two new Spectre/Meltdown variants - known as 3a and 4 - beyond the trio of speculative execution flaws that were first announced in January.
As with the trio of flaws previously announced on Jan. 3, the newly discovered vulnerabilities, first publicly disclosed on Monday, could be exploited by attackers to steal sensitive information from vulnerable systems (see Serious Meltdown and Spectre Flaws Make CPUs Exploitable).
The chipmakers have been furiously shipping microcode updates and working with operating system makers and others to put firmware and software fixes in place to help block attempts to exploit the flaws.
In a Monday security alert about the two newly disclosed variants, the U.S. Computer Emergency Readiness Team recapped the bigger-picture problem facing CPU hardware implementations that are vulnerable to Spectre and Meltdown side-channel attacks: "Meltdown is a bug that 'melts' the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers," it says. "Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data."
Variant 3a: Rogue System Register Read
Variant 3a has been assigned CVE-2018-3640 and "is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information," US-CERT says.
Zdenek Sojka, Rudolf Marek and Alex Zuepke from German OS and embedded technology firm SYSGO are credited with finding and reporting variant 3a to chipmakers.
Variant 4: Speculative Store Bypass
Spectre/Meltdown variant 4 is a "a new subclass of speculative execution side channel vulnerabilities known as speculative store bypass (SSB)," and has been assigned CVE-2018-3639, according to a security alert issued on Monday by Microsoft.
"When exploited, variant 4 could allow an attacker to read older memory values in a CPU's stack or other memory locations," US-CERT says. "While implementation is complex, this side-channel vulnerability could allow less privileged code to read arbitrary privileged data; and run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side-channel methods."
Variant 4 was independently discovered by Ken Johnson of Microsoft as well as Jann Horn of Google Project Zero, who was one of multiple researchers who independently discovered Meltdown and Spectre.
Microsoft says it reported the flaw last November to "industry partners." Google reported the flaw separately to chipmakers on Feb. 6, warning that if chipmakers didn't issue a public alert within 90 days, then Google would do so.
Intel Ships New Microcode
Intel says the risk posed by variant 4 is low, thanks to fixes that have been put in place since the first three variants were discovered.
"Most leading browser providers have recently deployed mitigations in their managed runtimes - mitigations that substantially increase the difficulty of exploiting side channels in a modern web browser," Intel says. "These techniques would likewise increase the difficulty of exploiting a side channel in a browser based on SSB."
But Intel says it's also rolling out defenses designed specifically to combat variants 3a and 4.
"We've already delivered the microcode update for variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks," says Leslie Culbertson, general manager of product assurance and security at Intel.
Variant 4 Patch: Performance Impact
Culbertson says the mitigation ships set to off-by-default, which carries no performance impact.
"If enabled, we've observed a performance impact of approximately 2 to 8 percent," she says. That would come on top of some other performance impacts already carried by workarounds for some of the other variants.
Indeed, the trouble with the Meltdown and Spectre flaws is that they target CPU functions that are designed to speed up computing. Unfortunately, mitigating those flaws takes a bite out of processor speed (see Performance Hit: Meltdown and Spectre Patches Slow Systems).
On the upside, Intel says that its variant 4 microcode update also addresses variant 3a, which is says was already publicly documented by ARM in January, and that the fix for the latter carries no performance impact.
"We've bundled these two microcode updates together to streamline the process for our industry partners and customers," Culbertson says.
Microsoft Sees Low Risk
To date, Microsoft says, it has not found "any exploitable instances of this vulnerability class in our software at this time" but says it's continuing to investigate and invite researchers to "report any exploitable instances of CVE-2018-3639 as part of our Speculative Execution Side Channel Bounty program." That bug bounty program runs until the end of 2018 (see Microsoft Offers Payouts for New Spectre, Meltdown Flaws).
Linux Vendors Ship Fixes
Linux OS vendor Red Hat, in a teardown of the speculative store bypass vulnerability, says vendors have been building a range of responses designed to mitigate Spectre and Meltdown variants.
"Red Hat and other vendors have worked with the upstream Linux kernel community to create best practices, as well as new security APIs, including mitigations against speculative store buffer bypass exploitation that can be enabled globally or on a per-process level," it says. "In addition, we are shipping updates to common managed code environments that could be subject to attack. You should apply these updates, along with any necessary microcode updates, as soon as possible."
VMware Preps Patches
Expect to see new patches from many other vendor designed to address variants 3a and 4.
VMware, for one, says it plans to release a patch for vSphere to address variant 4.
But based on its review of CVE-2018-3639 and CVE-2018-3640, it doesn't believe that the flaws could be exploited to enable information disclosure from one virtual machine to another, or from a hypervisor to a virtual machine. "Thus, hypervisor-specific mitigations are not required," it says.
Spectre/Meltdown: 5 Variants and Counting
The Spectre/Meltdown flaws now refer to five variants - or four variants and a "subvariant":
- Variant 1: Bounds check bypass (CVE-2017-5753);
- Variant 2: Branch target injection (CVE-2017-5715);
- Variant 3: Using speculative reads of inaccessible data (CVE-2017-5754);
- Variant 3a: Using speculative reads of inaccessible data, aka "rogue system register read" (CVE-2018-3640);
- Variant 4: speculative bypassing of stores by younger loads despite the presence of a dependency (CVE-2018-3639).
Chipmakers Prepping Fixes
Four chipmakers are warning users that some of their processors are at risk from Spectre and Meltdown:
- AMD says "processors families 15h, 16h, and some models of family 17h" may be at risk from variant 4.
- ARM says some Cortex-A and Cortex-R cores are vulnerable to Meltdown and Spectre variants.
- Intel says a number of its Core, Xeon, Atom, Celeron and Pentium processors are vulnerable to some Spectre/Meltdown variants.
- IBM says its Power CPUs are vulnerable to variant four. It's released patches for Power7, Power7+, Power8 and Power9 platforms, saying that previous generations of CPUs will not get patched.
Revelations over the flaws have led to lawsuits seeking class-action status against not only chipmakers but also technology firms that use the chips, including Apple (see Intel Faces 32 Spectre/Meltdown Lawsuits).
More New Variants?
News of a new Spectre/Meltdown vulnerability announcement set for Monday was first reported earlier this month by technology news site Heise in Germany, which said researchers had code named the new batch of flaws as the "next generation."
Heise, however, suggested that there were not two but rather eight new types of Meltdown and Spectre flaws and reported that Intel was attempting to delay public notification on at least some of those flaws until at least July 10 (see Spectre: The Next Generation).
Intel didn't immediately respond to a new request for comment about that report. But it previously declined to comment, saying only that it was continuing to work with industry partners.
Regardless, security experts expect to see researchers discover more speculative execution vulnerabilities in CPUs, buoyed by this year's Spectre and Meltdown revelations, as well as bug bounties created by Microsoft and Intel (see Expect More Cybersecurity 'Meltdowns').