New Intel Side-Channel Vulnerability Puts Sensitive Data At Risk: Bitdefender

The attack impacts modern Intel CPUs that use speculative execution, and circumvents protective measures put in place after the discovery of Spectre and Meltdown, Bitdefender said. Microsoft released a new patch to mitigate the attack.

A new security vulnerability impacting all modern Intel CPUs that use speculative execution could give hackers access to passwords, tokens and other sensitive data, Bitdefender found.

The Bucharest, Romania-based cybersecurity vendor said its researchers have demonstrated a new type of side-channel vulnerability that gives adversaries a method to access all information in the operating system kernel memory. The attack bypasses all known mitigations put in place after the discovery of Spectre and Meltdown in early 2018, Bitdefender said.

Every machine introduced since 2012 that uses Intel processors, runs Windows, and leverages speculative execution is affected, including desktops, laptops, and servers of both home and enterprise users. Bitdefender said its research indicates that neither Linux nor other x86 processors are affected by the vulnerability, and also doesn't expect Apple devices to be vulnerable.

[Related: Bitdefender Snags Fortinet's Bellano To Lead North American Channels: Exclusive]

"Criminals with knowledge of these attacks would have the power to uncover the most vital, best-protected information of both companies [Intel and Microsoft] and private individuals around the world, and the corresponding power to steal, blackmail, sabotage and spy," Gavin Hill, Bitdefender's VP of datacenter and network security products, said in a statement.

Microsoft has released a patch to mitigate this attack, according to Bitdefender, and other ecosystem partners have – or continue to assess – issuing patches as appropriate. Unpatched Windows systems can also opt to use Bitdefender Hypervisor Introspection for mitigation, the company said.

Intel said in a statement that it expects the exploits described by Bitdefender can be addressed using existing mitigation techniques.

A Microsoft spokesperson said that “we’re aware of this industry-wide issue and have been working closely with affected chip manufacturers and industry partners to develop and test mitigations to protect our customers. We released security updates in July and customers who have Windows Update enabled and applied the security updates are protected automatically.”

It is possible that an attacker with knowledge of the vulnerability could have exploited it to steal confidential information, Bitdefender said. Sensitive information such as passwords, encryption keys, tokens or access credentials may be present in kernel memory and can be exfiltrated by the attacker, according to Bitdefender.

The side-channel attack takes advantage of speculative execution, a functionality that seeks to speed up the CPU by having it make educated guesses as to which instructions might come next. But speculative execution also leaves traces in-cache which attackers can leverage to leak privileged, kernel memory.

The vulnerability found by Bitdefender combines Intel speculative execution of instructions and the use of a specific instruction by Windows operating systems within what is known as a gadget.

Specifically, Windows leverages the SWAPGS instruction on the gadget on 64-bit Intel architecture which, when manipulated, can be used to leak sensitive kernel memory from user mode. The attack breaks the memory isolation provided by Intel CPUs, allowing an unprivileged attacker to access privileged, kernel memory.

Bitdefender said it has been working with the industry on public disclosure of the vulnerability for more than a year. Any processors from Intel Ivy Bridge (released in 2012) to the latest processor series available on the market are affected by the vulnerability since they support SWAPGS and WRGSBASE instructions, according to Bitdefender.

A Red Hat advisory published Tuesday said the vulnerability “applies to x86-64 systems using either Intel or AMD processors.” Bitdefender, though, said they tested two AMD CPUs, and "neither exhibited speculative behavior for the SWAPGS instruction." Similarly, AMD said that external and internal analysis indicated the company wasn’t vulnerable to SWAPGS variant attacks

The latest side-channel attack against Intel processors comes just three months after Bitdefender discovered a security vulnerability in Intel processors that could allow an attacker to access privileged kernel-mode information considered beyond the reach of most applications. Research into side-channel attacks against vulnerabilities in speculative execution continues at a rapid pace, Bitdefender said.