Vulnerability Note VU#180049
CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks
CPU hardware utilizing speculative execution may be vulnerable to cache timing side-channel analysis. Two vulnerabilities are identified, known as "Variant 3a" and "Variant 4".
Speculative execution is a technique used by many modern processors to improve performance by predicting which instructions may be executed based on past execution history. An attacker with local user access may be able to utilize sequences of speculative execution to perform a cache timing side-channel analysis.
CWE-208: Information Exposure Through Timing Discrepancy
CVE-2018-3639 – Speculative Store Bypass (SSB) – also known as "Variant 4"
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may read an earlier value of the data. Subsequent speculative memory accesses cause allocations into the cache, which may allow a sequence of speculative loads to be used to perform timing side-channel attacks. In particular, if an attacker has control of a previously cached value, or the first store and load instructions are accesses onto the stack, an attacker may be able to control future speculative execution and access arbitrary privileged data by using less privileged code with timing side-channel analysis.
CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as "Variant 3a"
Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may return a speculative register value that is then used in subsequent speculative load instructions. These subsequence speculative loads cause allocations into the cache that may allow a sequence of speculative loads to be used to perform timing side-channel attacks. An attacker with local user access may be able to use timing side-channel analysis to determine the values stored in system registers.
For more information and technical details, please see the original Project Zero bug report, Intel's security advisory INTEL-SA-00115, AMD's whitepaper, and ARM's whitepaper.
These vulnerabilities have been noted in the media for their similarity to previously-disclosed vulnerabilities: CVE-2017-5753 (Variant 1, "Spectre"), CVE-2017-5715 (Variant 2, "Spectre"), CVE-2017-5754 (Variant 3, "Meltdown"). See VU#584653 for further information.
An attacker with local user access may be able to read arbitrary privileged data or system register values by utilizing cache timing side-channel analysis.
Update system software
Affected users should check with OEM and system software vendors and apply any available updates as soon as possible. Microcode updates and other system updates are expected to be available within the coming weeks. The Vendor Status links below provide further information.
Update your browser
Affected users should update to the latest version of any web browser in use. Most leading browser providers have recently deployed mitigations in their Managed Runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a modern web browser. These techniques would likewise increase the difficulty of exploiting a side channel in a browser based on SSB.
Vendor Information (Learn More)
If you are a vendor and your product is affected, let
us know.View More »
|Vendor||Status||Date Notified||Date Updated|
|AMD||Affected||04 May 2018||23 May 2018|
|Apple||Affected||04 May 2018||05 Jun 2018|
|ARM Limited||Affected||-||14 Jun 2018|
|Cisco||Affected||21 May 2018||22 May 2018|
|Dell||Affected||21 May 2018||21 May 2018|
|Dell EMC||Affected||21 May 2018||21 May 2018|
|Fortinet, Inc.||Affected||21 May 2018||24 May 2018|
|Hitachi||Affected||21 May 2018||05 Jun 2018|
|HP Inc.||Affected||21 May 2018||24 May 2018|
|IBM, INC.||Affected||21 May 2018||21 May 2018|
|Intel||Affected||04 May 2018||21 May 2018|
|Microsoft||Affected||04 May 2018||21 May 2018|
|QUALCOMM Incorporated||Affected||21 May 2018||21 May 2018|
|Red Hat, Inc.||Affected||04 May 2018||22 May 2018|
|SUSE Linux||Affected||21 May 2018||22 May 2018|
Intel would like to acknowledge and thank Jann Horn of Google Project Zero (GPZ) and Ken Johnson of the Microsoft Security Response Center (MSRC) for independently reporting CVE-2018-3639.
Intel would like to acknowledge and thank Zdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO AG (
) for reporting CVE-2018-3640. Intel would also like to acknowledge and thank Innokentiy Sennovskiy from BiZone LLC (bi.zone).
This document was written by Garret Wassermann.
If you have feedback, comments, or additional information about this vulnerability, please send us email.