Tag Archives: Intel

Mitigating the Intel SWAPGS Vulnerability

====================
TL DR
This is medium severity information disclosure vulnerability. An attacker must already have compromised a system to exploit it. Patches from Red Hat, Google and Microsoft are available. Apple hardware does not appear to be affected.
====================

If we look back 2 weeks we saw the disclosure of a vulnerability relating to VideoLAN VLC being performed incorrectly. This week there is an example of how responsible disclosure should be carried out and demonstrates it can work very well.

Red Hat Linux, Google and Microsoft have all issued patches for a newly discovered variant of the original Spectre v1 vulnerability (initially disclosed in January 2018).

The performance impact of the updates is described in the Red Hat advisory in more detail:

====================
The fix for this CVE has shown to cause a minimal performance impact. The impact will be felt more in applications with high rates of user-kernel-user space transitions. For example, in system calls, NMIs, and kernel interrupts.

Early benchmarks for this mitigation show approximately 1% performance penalty:

https://www.phoronix.com/scan.php?page=article&item=swapgs-spectre-impact&num=1
====================

How does this vulnerability work?
When building a memory address to access computer make use of segment registers (CS, DS, SS, ES, FS, GS). The FS and GS registers are used when the CPU (defined) is in 64-bit mode. The SWAPGS instruction is used on 64-bit entry into kernel code to swap the current user space value of GS with the value intended to be used during kernel operations. GS is used to access kernel data, but it does not validate the values it uses. There are checks during instruction execution to check if a swap to kernel mode is necessary. It is possible for the speculative execution process (attempting to look ahead to improve performance) to mis-judge if a swap is necessary  resulting in a small window of time where the wrong GS is used for memory access leading to disclosure of privileged information.

How can I protect my organisation and myself from this vulnerability?
Earlier this week Red Hat and Google released updates to resolve this vulnerability. Microsoft issued their update silently on 9th July:

Red Hat Linux
https://access.redhat.com/articles/4329821

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=18ec54fdd6d18d92025af097cd042a75cf0ea24c

Google Chrome OS
https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/1739575

Microsoft Windows
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1125

Thank you.

Intel VISA Vulnerabilities Explained

In late March; security researchers published new research concerning a previously undocumented debugging feature of Intel motherboards and CPUs known as VISA (Visualization of Internal Signals Architecture).

TL DR: If your system is affected (please see the advisory); please ensure that you have applied the fixes from Intel’s advisory. Please only allow trusted individuals to physical access your systems e.g. servers and workstations: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html

What is this technology?
VISA (Visualization of Internal Signals Architecture) is a logic signal analyser within the Platform Controller Hub (PCH) of motherboards since the release of the 5-Series Chipsets (November 2008 onwards). This can be used for debugging purposes during manufacturing and is disabled by default.

This feature allows for the real-time monitoring of internal data and address lines as well as other buses within the motherboard.

What is the risk of having this technology within my motherboard?
While the researchers demonstrated 3 methods of exploiting these vulnerabilities:

  • Previous known high severity buffers overflows and privilege escalation flaws within the Intel Management Engine (ME) patched by Intel in 2017
  • Use of the Intel JTAG password
  • Fault injection technique into Intel Management Engine firmware read-only memory (ROM)

If you have already patched the first means of using the VISA technology an attacker would require physical access to your system in order to exploit the remaining 2 methods. Thus the residual risk would be low.

As per Microsoft’s Immutable Laws of Security (the official link seems to have been removed); if an attacker has physical access to a computer system; it can’t be considered your system anymore since the avenues of attack now open to them are large and little can be done to avoid this.

How can I can protect my organisation or system from mis-use of this debugging feature?
Check your systems using the downloadable tool from Intel to check if your system is vulnerable to the known issues from 2017.

If so, please contact the manufacturer of your system or motherboard to obtain the most appropriate firmware updates for your system. You can provide them a link to Intel’s security advisory for further details.

Please only allow authorised and trusted individuals physical access to your systems. Be security aware by knowing that attackers can socially engineer you into providing physical access to a system by impersonating your internal IT support or Security staff. Please check that such individuals work for or on behalf of your company before allowing them access.

Personally; my Asus ROG Rampage VI Apex system has received 3 Intel ME firmware updates to address security vulnerabilities first identified in 2017. Intel’s tool linked to above shows my system as not vulnerable to the issues listed within it’s advisory.

Thank you.

Responding to the Intel Spoiler Vulnerability

====================
Updated: 20th March 2019
====================
TL DR:
The Intel Spoiler vulnerability is not as bad as predicted. Software developers should continue to use safer code development practices.

====================
After the disclosure earlier this month of this vulnerability Intel have provided further information on how it affects their microprocessors. They have clarified that the Spoiler exploit by itself does not reveal secret data and is not a speculative execution side channel method:

Other good news is that existing mitigations such as KPTI (kernel page table isolation) reduce the risk of leaking data across privilege levels. They again confirmed that side channel safe software development practices such as “ensuring execution time and control flows are identical regardless of secret data” will mitigate classic side channel methods enabled by the Spoiler exploit. Furthermore, they confirmed memory modules which are already mitigated against Rowhammer attacks remain protected against the Spoiler exploit.

Lastly AMD provided formal confirmation that their microprocessors are not vulnerable after preliminary findings suggested they weren’t vulnerable. AMD’s statement is available from this link.

Thank you.

====================
Original Post:
====================
Earlier this month a new vulnerability was disclosed in a research paper titled “Spoiler: Speculative load hazards boost Rowhammer and cache attacks”.

TL DR: Mitigating this newly disclosed vulnerability is the job of software developers to work around using safer code development practices. Mitigating this issue in hardware will take longer since current measures cause too much of a performance penalty.

Why should this vulnerability be considered important?
Using this new method; attackers are likely to find existing cache and memory Rowhammer attacks easier to carry out. In addition, JavaScript (defined) attacks which can take long periods of time may be shortened to mere seconds. The paper contains a cache prime and probe technique to leak sensitive data using JavaScript.

This Spoiler vulnerability can be used by attackers (who MUST have already compromised your system) to extract sensitive information from the systems memory (RAM). An attack does not require elevated privileges.

What CPUs (microprocessors / computer chips) are affected?
This vulnerability affects Intel processors only; first generation Intel Core (from early 2006) and later are affected. ARM and AMD processors are not affected. Any system with an Intel Core processor is affected regardless of the operating they are using namely Linux, Unix, Apple macOS and Windows can be all affected.

How does this vulnerability achieve the above results?
The security researchers who authored the paper found a vulnerability in the memory order buffer that can be used to gradually reveal information about the mappings of physical memory to non-privileged software processes (in other words; applications). This technique also affects virtual machine (VM) and sandboxed (defined) environments.

The technique works by understanding the relationship between virtual and physical memory by timing the speculative load and store operations to these areas while looking out for discrepancies which disclose the memory layout to you. With this information an attacker knows where to focus their efforts.

Intel’s proprietary implementation of the memory subsystem (memory disambiguation) is the root cause of the vulnerability. When a physical address conflict (the address/area is already in use) occurs, the algorithm leaks the access timings. The algorithm in the researcher’s words works as follows “Our algorithm, fills up the store buffer within the processors with addresses that have the same offset but they are in different virtual pages. Then, we issue a memory load that has the same offset similarly but from a different memory page and measure the time of the load. By iterating over a good number of virtual pages, the timing reveals information about the dependency resolution failures in multiple stages.”

How can this vulnerability be mitigated/patched?
This vulnerability lies within the memory disambiguation algorithm which won’t be trivial to resolve anytime soon. Since this vulnerability is not related to last years Spectre vulnerability; mitigations for that vulnerability don’t help here. Current Spoiler mitigations have too much of performance penalty. At this time, Intel has issued the following statement:

“Intel received notice of this research, and we expect that software can be protected against such issues by employing side channel safe development practices. This includes avoiding control flows that are dependent on the data of interest. We likewise expect that DRAM modules mitigated against Rowhammer style attacks remain protected. Protecting our customers and their data continues to be a critical priority for us and we appreciate the efforts of the security community for their ongoing research.”

The side channel safe development practices are linked to below:

Software Guidance for Security Advisories

Addressing Hardware Vulnerabilities

Thank you.

January 2019 Update Summary

====================
Updated: 9th January 2019
====================
Happy New Year to all of my readers. Thanks very much.

Today Microsoft made available monthly updates resolving 47 vulnerabilities (more formally known as CVEs (defined)) respectively. Further details are available from Microsoft’s monthly summary page.

Separately Adobe released out of band (unscheduled) updates last week for Acrobat 2017 and Acrobat DC/Acrobat DC. These updates address 2x critical CVEs.

Other updates released today are as follows:
Adobe Connect: 1x priority 3 CVE resolved
Adobe Digital Editions: 1x priority 3 CVE resolved
Adobe Flash Player: reliability/performance update only

While the Flash Player update is a non-security update it’s likely Adobe chose to release it via the usual channels since it’s what people are familiar with and it helps to get updates out sooner.

Similar to last month; Microsoft’s updates come with a long list of Known Issues that will be resolved in future updates. They are listed below for your reference:

KB4468742
KB4471389
KB4480116
KB4480961
KB4480962
KB4480963
KB4480966
KB4480970
KB4480973
KB4480975
KB4480978

You can monitor the availability of security updates for most your software from the following websites (among others) or use one of the utilities presented on this page:

====================
US Computer Emergency Readiness Team (CERT) (please see the “Information on Security Updates” heading of the “Protecting Your PC” page):

https://www.us-cert.gov/

A further useful source of update related information is the Calendar of Updates.

News/announcements of updates in the categories of General SoftwareSecurity Software and Utilities are available on their website. The news/announcements are very timely and (almost always) contain useful direct download links as well as the changes/improvements made by those updates (where possible).

If you like and use it, please also consider supporting that entirely volunteer run website by donating.

====================
For this month’s Microsoft updates, I will prioritize the order of installation below:
====================
Windows DHCP Client (Further details here)

Microsoft Edge and Internet Explorer (multiple versions of Edge and IE affected)(please also remember last months’s Internet Explorer update).

Microsoft Hyper-V (CVE-2019-0550 and CVE-2019-0551)

Microsoft Exchange (CVE-2019-0586)(Further details here)
====================
Please install the remaining updates at your earliest convenience.

As usual; I would recommend backing up the data on any device for which you are installing updates to prevent data loss in the rare event that any update causes unexpected issues. I have provided further details of updates available for other commonly used applications below.

Please find below summaries of other notable updates released this month.

Thank you.

====================
Intel Security Advisories:
====================
Intel have released a series of security advisories so far this month. Of highest priority is the advisory for their Intel PROSet/Wireless WiFi Software to resolve a high severity CVSS Base Score 7.8 vulnerability. The security advisory affects many of their WiFi adapters.

Further important updates for their System Support Utility and Intel SGX SDK and Intel SGX Platform Software were also made available. Meanwhile lower severity issues were addressed in Intel’s SSD data-center tool for Windows, Intel NUC Firmware and Intel Optane SSD DC P4800:

If you use any of the affected software or products, please update them as soon as possible especially in the case of the PROSet/Wireless WiFi Software.

=======================
Mozilla Firefox
=======================
In the final week of January; Mozilla made available Firefox 65 and Firefox ESR (Extended Support Release) 60.5:

Firefox 65: Resolves 3x critical, 2x high and 2x moderate CVEs (defined)

Firefox 60.5: Resolves 2x critical and 1x high CVEs

Details of how to install updates for Firefox are here. If Firefox is your web browser of choice, if you have not already done so, please update it as soon as possible to benefit from the most recent improvements by Mozilla.

=======================
Wireshark 2.4.12 and 2.6.6
=======================
v2.4.12: 6 security advisories

v2.6.6: 4 security advisories

As per standard process Linux distributions can obtain this update using the operating systems standard package manager (if the latest version is not installed automatically using the package manager you can instead compile the source code (v2.6.6 or v2.4.12). This forum thread and this forum thread may also be helpful to you with installing Wireshark on your Linux based system.

For Mac OS X and Windows, the update is available within the downloads section of the Wireshark website. In addition, a detailed FAQ for Wireshark is available here.

Thank you.

Oracle VirtualBox Zero Day Disclosed

In early November a security researcher publicly disclosed (defined) a zero day (defined) vulnerability within Oracle’s VirtualBox virtualisation software.

How severe is this vulnerability?
In summary; this vulnerability is serious but it could have been worse. In order to exploit it, an attacker would first need to have obtained elevated privileges on your system; root (defined) in the case of Linux and administrator (defined) in the case of Windows. Using this privilege the attacker can leverage the exploit to escape from the confines of the virtual machine (VM)(defined) into the system which hosts the virtual machine (in other words; the system which houses the virtual machine within its physical infrastructure). Once outside of the virtual machine the attacker must then elevate their privileges again since breaking out of the VM only gives them user level/standard privileges and not elevated privileges in the physical system. Thus the attacker would then need to use a separate exploit for another vulnerability (not related to this VirtualBox flaw) to elevate their privileges again to become root/admin within the physical system.

Obviously; the consequences of exploiting this vulnerability on a shared service/cloud infrastructure system would be more serious since multiple users would be affected all at once and the further exploitation of the resulting host systems could potentially provide the attacker with control over all the virtual machines.

How can an attacker exploit this vulnerability?
VirtualBox makes use of the Intel Pro/1000 MT Desktop (82540EM) network adapter to provide an internet connection to the virtual machines it manages. The attacker must first turn off this adapter in the guest (virtualised) operating system. Once complete they can then load a custom Linux kernel module (LKM)(defined) (this does not require a reboot of the system). That custom LKM contains the exploit derived from the technical write up provided. That new LKM loads its own custom version of the Intel network adapter. Next the LKM exploits a buffer overflow (defined) vulnerability within the virtualised adapter to escape the guest operating system. The attack must then unload the custom LKM to re-enable the real Intel adapter to resume their access to the internet.

How can I protect myself from this vulnerability?
While this is a complex vulnerability to exploit (an attacker would need to chain exploits together in order to elevate their privilege on the host system after escaping the VM), the source code needed to do so is available in full from the researcher’s disclosure; increasing the risk of it being used by attackers.

At the time of writing; this vulnerability has not yet been patched by VirtualBox. It affects versions 5.2.20 and earlier when installed on Ubuntu version 16.04 and 18.04 x86-64 guests (Windows is believed to be affected too). While a patch is pending; you can change the network card type to PCnet or Para virtualised Network. If this isn’t an option available or convenient for you; you can an alternative to the NAT mode of operation for the network card.

Thank you.

Retpoline To Improve Windows 10 Performance Following Spectre Vulnerability

Alex Ionescu, a Windows Internals expert and Security Architect with CrowdStrike in mid-October provided new insight into performance improvements coming to the next update of Windows, namely 19H1 or Version 1903:

With performance decreases estimated to be up to 30% in the worst-case scenarios while mitigating the Spectre vulnerabilities earlier this year; the upcoming version of Windows will add Google’s Retpoline instructions to improve performance:

Such instructions are already present in Red Hat, SUSE and Oracle Linux 6 and 7. Ionescu revealed that performance was significantly improved while trusting the newer version of Windows 10. Moreover; Spectre variant 2 (CVE-2017-5715) will now be fully mitigated even if your hardware was not updated to support indirect branch restricted speculation (IBRS); making it more secure. In his words “On systems without IBRS, Windows won’t flush the BPB on kernel->user transitions. This opens up a potential security issue for CPUs without microcode that implements IBRS”.

He also confirmed that Retpoline is enabled on systems with indirect branch prediction barrier (IBPB). This will protect such systems from kernel to user transitions where currently no protection exists. Finally he asked that Retpoline be back ported earlier (but currently supported) versions of Windows since systems without IBRS are “sitting ducks”:

These changes were also announced by a Microsoft engineer, Mehmet Iyigun working within the Windows and Azure kernel team.

In April 2019 we can look forward to a more secure and faster version of Windows. I’m particularly pleased to learn this since my water cooled Intel processor; an 18 core (36 thread) Core i9 7980XE has received full protection from Spectre in the form of IBRS and IBPB from the motherboard vendor. Performance impact has been minimal but any increase in performance is welcomed for my donations to Stanford’s Folding@Home project.

More info on IBRS and IBPB is available from this link. Thank you.

APT28 Group Distributes First in the Wild UEFI Rootkit

=======================
Update: 6th February 2019
=======================
In mid-January, the IT news website; The Register provided details of an analysis of this threat from the security firm Netscout. They concluded that they believe the malware utilising the UEFI rootkit began as long as 2 years ago:

In addition; the command and control (C2) (defined) infrastructure originating from this threat remains operational but has reduced from 7 servers to 2. The attackers also have further servers and reserved IP addresses ready to use should they need to.

Thank you.

=======================
Original Post:
=======================
In late September; researchers from the security/anti-malware firm Eset discovered the first UEFI (defined) rootkit (defined) being used in the wild (namely being present on computing devices used by the general public in their professional and personal lives).

The APT group known as APT28 (who we discussed before on this blog) has been named as being responsible for this advanced threat being distributed to victim systems located in the Central Europe, Eastern Europe and the Balkans.

Why should this threat be considered important?
While this threat is so far limited to targeting systems in Central Europe, Eastern Europe and the Balkans; it has the potential to set a precedent to dramatically increase the persistence of malware on selected systems. This is due to the fact that to save time malware removal usually involves re-installing the operating system. More advanced users may choose to re-create the MBR/GPT, replace the boot sector and rebuild the BCD. Even more informed users may replace the hard disk to remove the malware. This new threat is significant since all of these steps would not remove it.

Eset researchers discovered that the LoJack anti-theft software which was installed compromised systems was being leveraged to start the attacker’s malware instead by using the Windows registry (defined) to load files with very similar names to that of the legitimate LoJack software. They also located a kernel (defined) driver (defined) being used to write the systems firmware when required. Since this tool was a legitimate tool; it has a valid digital signature. This is significant; otherwise the attacker’s tool would not have worked on a 64 bit Windows system. Should attempts to write to the firmware fail, the malware uses a 4 year old vulnerability CVE-2014-8273 (a race condition (defined)) to bypass the write lock.

Once the firmware has been updated it replaces the original LoJack software files with hijacked versions designed to enable further persistence on the compromised systems, namely a backdoor (defined).

How can I protect myself against this threat?
While it is less likely a threat of this sophistication will become widespread; the steps below will help to defend you against this and similar threats in the future. How this threat establishes an initial foothold on a system was inconclusive by Eset. However exercising caution on the links you click in emails, IMs and social networking should provide some form of prevention. Keeping your system up to date should also prevent a drive by download (defined). However I will detail more specific defensive steps below:

Eset determined that this threat can be prevented from affecting a system by enabling the Secure Boot hardware security feature (if your system has this feature available; most systems manufactured from 2012 onwards do). Any system with a certified Windows 8 or Windows 10 badge on the outside will have Secure Boot enabled with no action required from you. Secure Boot works even better when paired with Intel BootGuard (corporate users are more likely to use/enable this feature).

If the rootkit had affected the system described above it would have then refused to boot due to Secure Boot being enabled. It’s important to clarify that Secure Boot won’t prevent the infection/tampering but it will prevent that tampering from starting the system for use as normal.

Secure Boot was added to Windows 8.0 in 2012 to prevent unsigned components (e.g. rootkits) from affecting a system so early in the boot process that anti-malware software would be unable to detect or prevent that component from obtaining a privileged level of access over the system.

=====

Keeping the UEFI firmware of your system up to date will assist with resolving known vulnerabilities within the firmware. Patching known firmware vulnerabilities makes your system less vulnerable to low level attacks such as this. Please only install UEFI firmware updates from your system vendor. Check the vendor’s website or contact them to determine if you need a UEFI firmware update and how to install it. If possible/available verify the checksum (defined) of the file you download matches the vendors provided checksum. I use the word available above since not all vendors provide checksums of the firmware updates they distribute which would allow you to verify them.

More recent Intel motherboards (defined) are not vulnerable to the race condition by Eset in their paper (more details available here). These modern chipsets feature a Platform Controller Hub (present in Intel’s Series 5 chipsets and later (available circa 2010 onwards).

If you know of a system affected with such a low level threat you may be able to update the UEFI firmware with a known safe version from the vendor but this is not guaranteed to work. Replacing the hardware will be a more reliable alternative.

Thank you.