NetSpectre

Scientists have published a paper today detailing a new Spectre-class CPU attack that can be carried out via network connections and does not require the attacker to host code on a targeted machine.

This new attack —codenamed NetSpectre— is a major evolution for Spectre attacks, which until now have required the attacker to trick a victim into downloading and running malicious code on his machine, or at least accessing a website that runs malicious JavaScript in the user's browser.

But with NetSpectre, an attacker can simply bombard a computer's network ports and achieve the same results.

NetSpectre has low exfiltration speeds

Although the attack is innovative, NetSpectre also has its downsides (or positive side, depending on what part of the academics/users barricade you are). The biggest is the attack's woefully slow exfiltration speed, which is 15 bits/hour for attacks carried out via a network connection and targeting data stored in the CPU's cache.

Academics achieved higher exfiltration speeds —of up to 60 bits/hour— with a variation of NetSpectre that targeted data processed via a CPU's AVX2 module, specific to Intel CPUs.

Nonetheless, both NetSpectre variations are too slow to be considered valuable for an attacker. This makes NetSpectre just a theoretical threat, and not something that users and companies should be planning for with immediate urgency. But as we've seen in the past with Rowhammer attacks, as academics spend more time probing a topic, exfiltration speeds will also eventually go up, while the technical limitations that prevent such attack from working will slowly go down and dissipate.

Existing mitigations should prevent NetSpectre

Under the hood, this new NetSpectre attack is related to the Spectre v1 vulnerability (CVE-2017-5753) that Google researchers and academics have revealed at the start of the year.

As such, all CPUs previously affected by Spectre v1 are believed to also be affected by NetSpectre, although academics said that existing vendor mitigations should stop NetSpectre, if they've been deployed with our OS and CPU's firmware.

Readers can find out more about this new NetSpectre attack in a research paper published by four academics from the Graz University of Technology in Austria. The research paper is named "NetSpectre: Read Arbitrary Memory over Network."

This is the second Spectre attack variation that academics have revealed in the span of a week. Last week, researchers from the University of California, Riverside (UCR) have published details about another attack named SpectreRSB that carries out its data exfiltration by abusing the CPU's Return Stack Buffer (RSB).

Variant Description CVE Codename Affected CPUs More info
Variant 1 Bounds check bypass CVE-2017-5753 Spectre v1 Intel, AMD, ARM Website
Variant 1.1 Bounds check bypass on stores CVE-2018-3693 Spectre 1.1 Intel, AMD, ARM Paper
Variant 1.2 Read-only protection bypass CVE unknown Spectre 1.2 Intel, AMD, ARM Paper
Variant 2 Branch target injection CVE-2017-5715 Spectre v2 Intel, AMD, ARM Website
Variant 3 Rogue data cache load CVE-2017-5754 Meltdown Intel, ARM Website
Variant 3a Rogue system register read CVE-2018-3640 - Intel, AMD, ARM, IBM Mitre
Variant 4 Speculative store bypass CVE-2018-3639 SpectreNG Intel, AMD, ARM, IBM Microsoft blog post
- Return mispredict - SpectreRSB Intel, AMD, ARM Paper
- Access-driven remote Evict+Reload cache attack - NetSpectre Intel, AMD, ARM Paper

Related Articles:

The Intel Microcode Boot Loader Protects Older CPUs From Spectre

Spectre and Meltdown Hardware Protection Added to Intel's 9th Gen CPUs

New PortSmash Hyper-Threading CPU Vuln Can Steal Decryption Keys