UPDATE: Speculation over. Google has published details about the flaws described in this article. Original article below, but an accurate version is available here.
OS makers and cloud service providers are preparing patches for a security bug affecting Intel processors, according to several sources with knowledge of the upcoming fixes.
The issue is said to allow an attacker to read the memory layout used by the OS kernel, allowing attackers to fine-tune attack code that targets those areas and reads content from kernel memory.
Exact details are not available at the time of writing, but several kernel experts have drawn attention that the patches readied to fix this issue introduce a major overhaul of how operating systems deal with the kernel, some of which may introduce a performance hit.
Speculation has been rampant in the information security and hardware community, and we'll not reproduce some of the unfounded claims in this article. Details are scarce because all people involved in patching the flaws have signed non-disclosure agreements to keep any potentially exploitable info under an embargo.
More information is expected to become public either on January 4 (when various cloud providers will deploy fixes to their services) or January 9 (when Microsoft will release the January 2018 Patch Tuesday security fixes).
Experts first started speculating that something was afoot in November last year when the Linux project added support for a new security feature called Kernel Page Table Isolation (KPTI).
As described at the time, KPTI would work by separating the kernel memory space from the memory space accessed by normal (usermode) processes.
Up to that point, kernel operations and usermode processes shared the same memory space, but were separated inside different "virtual" memory spaces.
Some of the world's leading kernel experts believe someone found a way to reveal the (supposed-to-be-secret) memory location of kernel code via an exploit delivered via a user-level process, and then read the content of that memory.
On Tumblr, a security expert using the online pseudonym of Python Sweetness, believes the patches are related to a research paper that discussed a method of unmasking the memory location for kernel code.
The paper, authored by a team from the Graz University of Technology in Austria, discussed breaking KASLR protection of kernel code, a security feature used by both Linux and Windows.
After researchers published their paper, work on improving KASRL spurned the creation of the KAISER project, a security-hardened version of the KASRL feature.
Because KPTI development came as a continuation on the KAISER feature, many believe the method described in that research paper may be the ultra-secret vulnerability that OS makers and cloud providers have worked to patch during the past months.
Linux maintainers have already shipped versions of the Linux kernel containing the said fixes. Microsoft has also released fixes, but only for Windows Insiders builds, with patches for for mainstream Windows branches expected next week. Apple reportedly patched the issue in macOS 10.13.2.
Cloud providers such as Google, Amazon, and Microsoft are set to patch issues this and next week, with companies announcing customers of planned downtime.
It’s cool when Amazon emails you to let you know about an apparent undisclosed critical Xen vulnerability to be published in January. pic.twitter.com/Dbrpx78VAd— Jan Schaumann (@jschauma) December 14, 2017
This is there too. pic.twitter.com/hn72QIGh8U— Longhorn (@never_released) January 1, 2018
Experts who analyzed the new KPTI security feature said that by separating kernel and usermode memory spaces, processing speed will be affected and some systems may see a performance dip.
Some tech and hardware blogs have already started benchmarking CPU performance for operating systems before and after the patch, and some have reported performance dips. Nonetheless, readers should take into consideration that these are in-dev OS versions and the patched OSes may receive further patching and optimization.
If AWS and Azure are patching it over next few days, they will be confident on performance impact being acceptable as they’re running millions of systems.— Kevin Beaumont (@GossiTheDog) January 3, 2018
While the KTPI feature will be enabled for all CPU architectures, the vulnerability appears to affect Intel processors only. AMD has gone on record and said the security bug does not affect its CPUs, also recommending that users disable KTPI to avoid suffering any performance issues.
Earlier today, Erik Bosman, a security researcher with VUSec (Systems and Network Security Group at Vrije Universiteit Amsterdam) claimed he was able to exploit the supposed Intel bug to read data from privileged kernel memory.
This post had the same opinion. KASLR is not worth the panic (or even the performance hit?), but a hypervisor privilege escalation escape through a hardware bug definitely would justify panic for cloud providers.https://t.co/nVZjNynVLe— Peter Ceeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee (@itspeterc) January 3, 2018
Nonetheless, there's a certain feel in the infosec community that the Intel CPU vulnerability is being blown out of proportion, mainly because it affects a large number of vendors, rather than being a security risk.
I can’t possibly be the only one who thinks a KASLR bypass is not worth this much concern. Its amazing technical research but why the panic? Remember, most of the world runs on 2.6 kernels...— Chris Rohlf (@chrisrohlf) January 3, 2018
Without concrete details, many experts and journalists have speculated that the bug affects all Intel CPUs released in the last decade.
This abundance of FUD headlines caused Intel stock price to plummet by 4% earlier today, while AMD rose by 7%, just because the company stated they were not affected.
Intel, Microsoft, and few other organizations Bleeping Computer reached out today did not respond to a request for comment, staying true to their embargo.
With the impact these rumors have caused on stock prices, you can rest assured these companies won't be opening their mouths until they patch the issues and Intel issues an official security advisory.