Vulnerability Note VU#180049

CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks

Original Release date: 21 May 2018 | Last revised: 19 Jun 2018

Overview

CPU hardware utilizing speculative execution may be vulnerable to cache timing side-channel analysis. Two vulnerabilities are identified, known as "Variant 3a" and "Variant 4".

Description

Speculative execution is a technique used by many modern processors to improve performance by predicting which instructions may be executed based on past execution history. An attacker with local user access may be able to utilize sequences of speculative execution to perform a cache timing side-channel analysis.

CWE-208: Information Exposure Through Timing Discrepancy

CVE-2018-3639 – Speculative Store Bypass (SSB) – also known as "Variant 4"

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may read an earlier value of the data. Subsequent speculative memory accesses cause allocations into the cache, which may allow a sequence of speculative loads to be used to perform timing side-channel attacks. In particular, if an attacker has control of a previously cached value, or the first store and load instructions are accesses onto the stack, an attacker may be able to control future speculative execution and access arbitrary privileged data by using less privileged code with timing side-channel analysis.

CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as "Variant 3a"

Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may return a speculative register value that is then used in subsequent speculative load instructions. These subsequence speculative loads cause allocations into the cache that may allow a sequence of speculative loads to be used to perform timing side-channel attacks. An attacker with local user access may be able to use timing side-channel analysis to determine the values stored in system registers.

For more information and technical details, please see the original Project Zero bug report, Intel's security advisory INTEL-SA-00115, AMD's whitepaper, and ARM's whitepaper.

These vulnerabilities have been noted in the media for their similarity to previously-disclosed vulnerabilities: CVE-2017-5753 (Variant 1, "Spectre"), CVE-2017-5715 (Variant 2, "Spectre"), CVE-2017-5754 (Variant 3, "Meltdown"). See VU#584653 for further information.

Impact

An attacker with local user access may be able to read arbitrary privileged data or system register values by utilizing cache timing side-channel analysis.

Solution

Update system software

Affected users should check with OEM and system software vendors and apply any available updates as soon as possible. Microcode updates and other system updates are expected to be available within the coming weeks. The Vendor Status links below provide further information.

Update your browser

Affected users should update to the latest version of any web browser in use. Most leading browser providers have recently deployed mitigations in their Managed Runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a modern web browser. These techniques would likewise increase the difficulty of exploiting a side channel in a browser based on SSB.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AMDAffected04 May 201823 May 2018
AppleAffected04 May 201805 Jun 2018
ARM LimitedAffected-14 Jun 2018
CiscoAffected21 May 201822 May 2018
DellAffected21 May 201821 May 2018
Dell EMCAffected21 May 201821 May 2018
Fortinet, Inc.Affected21 May 201824 May 2018
HitachiAffected21 May 201805 Jun 2018
HP Inc.Affected21 May 201824 May 2018
IBM, INC.Affected21 May 201821 May 2018
IntelAffected04 May 201821 May 2018
MicrosoftAffected04 May 201821 May 2018
QUALCOMM IncorporatedAffected21 May 201821 May 2018
Red Hat, Inc.Affected04 May 201822 May 2018
SUSE LinuxAffected21 May 201822 May 2018
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 4.4 AV:L/AC:M/Au:S/C:C/I:N/A:N
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 3.4 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Intel would like to acknowledge and thank Jann Horn of Google Project Zero (GPZ) and Ken Johnson of the Microsoft Security Response Center (MSRC) for independently reporting CVE-2018-3639.

Intel would like to acknowledge and thank Zdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO AG (https://sysgo.com) for reporting CVE-2018-3640. Intel would also like to acknowledge and thank Innokentiy Sennovskiy from BiZone LLC (bi.zone).

This document was written by Garret Wassermann.

Other Information

  • CVE IDs: CVE-2018-3639 CVE-2018-3640
  • US-CERT Alert: TA18-141A
  • Date Public: 21 May 2018
  • Date First Published: 21 May 2018
  • Date Last Updated: 19 Jun 2018
  • Document Revision: 95

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.