CVE-2018-3665: Floating Point Lazy State Save/Restore vulnerability affects Intel chips

There has been something of a spate of chip vulnerability discoveries recently, and now another one has emerged. Known as Floating Point Lazy State Save/Restore, the security flaw (CVE-2018-3665) is found in Intel Core and Xeon processors and it is another speculative execution vulnerability in a similar vein to Spectre.

The security flaw takes advantage of one of the ways the Linux kernel saves and restores the state of the Floating Point Unit (FPU) when switching tasks -- specifically the Lazy FPU Restore scheme. Malware or malicious users can take advantage of the vulnerability to grab encryption keys. Linux kernel from version 4.9 and upwards, as well as modern versions of Windows and Windows Server are not affected.

See also:

• Spectre and Meltdown variant 4: Microsoft, Google and Intel reveal new Speculative Store Bypass chip vulnerability
• Microsoft's Meltdown patch for Windows 10 has a 'fatal flaw'
• Exploit emerges for Microsoft's problematic Meltdown patch for Windows 7 and Server 2008

For Red Hat Enterprise Linux users, the vulnerability has been assigned a Moderate rating. The organization explains: "Red Hat has been made aware of an issue where operating systems and virtual machines running on common modern (x86) microprocessors may elect to use "lazy restore" for floating point state when context switching between application processes instead of "eagerly" saving and restoring this state. Exploitation of lazy floating point restore could allow an attacker to obtain information about the activity of other applications, including encryption operations. The underlying vulnerability affects CPU speculative execution similar to other recent side channel vulnerabilities. In this latest vulnerability, one process is able to read the floating point registers of other processes being lazily restored. This issue has been given CVE-2018-3665. Red Hat Product Security has rated this update as having a security impact of Moderate."

Jon Masters, a computer architect at Red Hat, says:

CVE-2018-3665, also known as Floating Point Lazy State Save/Restore, is another speculative execution vulnerability that affects some commonly deployed modern microprocessors. Red Hat is collaborating with our industry partners on optimized mitigation patches, which will be available via our normal software release mechanism. Red Hat is also providing guidance to our customers about shorter term mitigation options. We continue to work closely with our peers and security researchers, encouraging all organizations to follow the industry practice of coordinated disclosure.

Red Hat Enterprise Linux users can take a look at this Knowledge Base Article for help and advice.

The Register explains that Windows Server 2008 is one of the operating systems that needs to be patched. The site also explains that Intel had been planning to go public with the vulnerability later this month, but its plans were changed when the OpenBSD and DragonflyBSD projects decided to publish details of their own patches. In a statement given to The Register, Intel said:

This issue, known as Lazy FP state restore, is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products. Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks.

We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well.

The chip-maker has also assigned the vulnerability a Moderate rating and in security advisory INTEL-SA-00145, the company makes the following recommendation:

If an XSAVE-enabled feature is disabled, then we recommend either its state component bitmap in the extended control register (XCR0) is set to 0 (e.g. XCR0[bit 2]=0 for AVX, XCR0[bits 7:5]=0 for AVX512) or the corresponding register states of the feature should be cleared prior to being disabled. Also for relevant states (e.g. x87, SSE, AVX, etc.), Intel recommends system software developers utilize Eager FP state restore in lieu of Lazy FP state restore.

Image credit: Rawpixel.com / Shutterstock