New Spectre 1.1 and Spectre 1.2 CPU vulnerabilities exposed
It seems that the Spectre and Meltdown vulnerabilities saga is never-ending, and now there are two new related CPU flaws to add to the mix. Dubbed Spectre 1.1 and Spectre 1.2, the vulnerabilities (CVE-2018-3693) exploit speculative execution and can modify data and bypass sandboxes.
Two security researchers have disclosed details of the new vulnerabilities, both of which have the potential to leak sensitive data. By tinkering with the speculative execution processes of Intel and ARM CPUs, it would be possible to use malicious code to extract information such as passwords and crypto keys.
- Researchers develop SafeSpec to overcome vulnerabilities like Spectre and Meltdown
- Spectre and Meltdown variant 4: Microsoft, Google and Intel reveal new Speculative Store Bypass chip vulnerability
- Intel: some processors will never receive Meltdown and Spectre patches
The researchers -- Vladimir Kiriansky and Carl Waldspurger -- say that Spectre 1.1 creates buffer overflows using speculative stores. The pair explain: "Much like classic buffer overflows, speculative out-of-bounds stores can modify data and code pointers. Data-value attacks can bypass some Spectre-v1 mitigations, either directly or by redirecting control flow. Control-flow attacks enable arbitrary speculative code execution, which can bypass fence instructions and all other software mitigations for previous speculative-execution attacks. It is easy to construct return-oriented-programming (ROP) gadgets that can be used to build alternative attack payloads".
As if one new variant of Spectre was not enough, they go on to say:
We also present Spectre1.2: on CPUs that do not enforce read/write protections, speculative stores can overwrite read-only data and code pointers to breach sandboxes.
Over on the National Vulnerability Database, the two exploits (CVE-2018-3693) have been labelled as medium risk vulnerabilities, largely thanks to the complexity of getting the necessary malicious code onto a potential victim's PC.
Kiriansky and Waldspurger have published their findings in a paper and while they do not point out which CPUs are vulnerable, both ARM and Intel have already said that their chips are affected. AMD has said nothing about its processors yet, but as they were vulnerable to previous variants of Spectre, it's likely to be the same here.
Intel has published a white paper that goes into some detail about the exploits which you can read here.