SpectreNG

Security researchers from Google and Microsoft have found two new variants of the Spectre attack that affects processors made by AMD, ARM, IBM, and Intel.

Rumors about this new flaw leaked online at the start of the month in a German magazine, but actual details were published today.

AMD, ARM, IBM, Intel, Microsoft, Red Hat and Ubuntu have published security advisories at the time of writing, containing explanations of how the bugs work, along with mitigation advice.

Bug known as SpectreNG

The bugs —referred to in the past weeks as SpectreNG— are related to the previous Meltdown and Spectre bugs discovered last year and announced at the start of 2018.

Both Google and Microsoft researchers discovered the bug independently. The bugs work similarly to the Meltdown and Spectre bugs, a reason why they were classified as "variant 3a" and "variant 4" instead of separate vulnerabilities altogether.

Variant 1: bounds check bypass (CVE-2017-5753) aka Spectre v1
Variant 2: branch target injection (CVE-2017-5715) aka Spectre v2
Variant 3: rogue data cache load (CVE-2017-5754) aka Meltdown
Variant 3a: rogue system register read (CVE-2018-3640)
Variant 4: speculative store bypass (CVE-2018-3639) aka SpectreNG

Variant 3a is a variation of the Meltdown flaw, while Variant 4 is a new Spectre-like attack. The most important of these two is Variant 4. Both bugs occur for the same reason —speculative execution— a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data.

The difference is that Variant 4 affects a different part of the speculative execution process —the data inside the "store buffer" inside a CPU's cache. Red Hat has published a YouTube video explaining how the bug affects modern CPUs.

As Red Hat breaks it down in a more technical explanation, the vulnerability...

...relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.

"An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries," Microsoft said in a similar advisory, confirming a Red Hat assessment that the flaw could be used to break out of sandboxed environments. Microsoft also published a more in-depth blog on the Variant 4 bug.

Google's Jann Horn, the man behind the Meltdown and Spectre flaws, has also published proof-of-concept code.

Intel and AMD x86 chipsets, along with POWER 8, POWER 9, System z, and ARM CPUs are known to be affected. Intel has published a detailed list of affected CPU series in a security advisory.

Variant 4 can be exploited remotely, via JavaScript code in the browser. Microsoft said it did not detect any exploitation attempts, though.

Additional patches released

Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel Corporation, said that the original Meltdown and Spectre patches from January 2018 should be enough to mitigate Variant 4 as well.

Nonetheless, Intel also announced new patches.

"We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks," Culbertson said. "This mitigation will be set to off-by-default, providing customers the choice of whether to enable it."

"In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent," Culbertson added. AMD, too, recommended leaving the Variant 4 mitigations disabled in a whitepaper.

Red Hat and Microsoft announced new patches as well (see links to security advisories for mitigation advice). Cisco said its devices are not affected.

Related Articles:

New Spectre Attack Recovers Data From a CPU's Protected SMM Mode

OpenBSD Disables Intel CPU Hyper-Threading Due to Security Concerns

New Lazy FP State Restore Vulnerability Affects All Intel Core CPUs

Researchers Bypass AMD’s SEV Virtual Machine Encryption

Microsoft Explains Whether a Vulnerability Turns Into a Windows Security Update