Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

5W1H: Speculative Side Channel Vulnerabilities De-mystified

5W1H: Speculative Side Channel Vulnerabilities De-mystified

The classes of vulnerabilities that brought us Meltdown and Spectre are not going away anytime soon. Here’s what you need to know about Speculative Execution vulnerabilities, with our guidance on steps you can take to reduce your risk.

Spectre and Meltdown generated a lot of confusion and discussion in the security world when they first hit the news. Understanding the risks associated with speculative execution vulnerabilities will help organizations prioritize and communicate effectively about their exposure. In this post, we present what it is known, how it affects companies and ways to stay ahead in the game.

Start from the beginning…

Speculative Execution is a technique used to enhance processor performance by anticipating which instructions will be required in advance. According to Intel, this helps minimize latency and extract greater parallelism, thereby leading to performance gains.The boost in performance comes with a tradeoff: results will be discarded if they are not needed. The technique is used by various microprocessor vendors including Intel, AMD and ARM.

While academic papers dating back to 1985 have covered theoretical attacks on CPU caches and translation lookaside buffers (TLBs), rumors about the existence of vulnerabilities in the wild that leveraged Speculative Execution began surfacing in late 2017. However, the real saga began publicly on January 3, 2018 when a blog post from Google’s Project Zero Initiative detailed their findings. Spectre and Meltdown were unleashed to the public just as people were coming back from their New Year holiday. The reports included three variants of the vulnerabilities: CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2) for Spectre and CVE-2017-5754 (Variant 3) for Meltdown.

This mega-event sparked a huge discussion in the community for various reasons: the impact of the vulnerabilities themselves; the number of vendors affected directly and indirectly at various levels of the supply chain; the sheer number of systems impacted worldwide; and the mammoth task of getting these systems updated (if at all possible). Clearly, Pandora’s box had been opened and there was no going back. Pundits predicted (accurately!) we would see more of these in the months and years to come.

In late May 2018, two more vulnerabilities were discovered and reported by Microsoft and Google. These were tagged Variant 3A (CVE-2018-3640) and Variant 4 (CVE-2018-3639). The fourth variant presented a new method for leaking information from a system and could be exploited from a browser, thereby enhancing the ease of exploitation. These variants are part of eight additional Spectre-class flaws provisionally named Spectre-NG.

Soon to follow were other flaws from the Spectre-NG class: Lazy FP State Restore (CVE-2018-3665); Bounds Check Bypass Store (BCBS) aka Spectre 1.1 (CVE-2018-3693); Spectre 1.2; ret2spec (aka Spectre v5); and SpectreRSB (Return Stack Buffer).

In July 2018, NetSpectre surfaced and changed the scope in terms of exploitability of the Spectre family: a remote attack was now possible. By virtue of this new vulnerability, reported by researchers of the Graz University of Technology, an exposed Network Interface or API would be enough for an attacker to execute the remote side-channel attack. NetSpectre is capable of leaking information from the target system and even though the rate of transmission is low (around 15 to 60 bits per hour in a local network) it is still proof that novel variations of speculative execution can target a broad range of devices.

Most recently, on August 14, a new set of vulnerabilities dubbed Foreshadow and Foreshadow-NG were made public. The new set of vulnerabilities exploiting a Side-Channel attack causing a L1 Terminal Fault could affect processors, Virtual Machines and Cloud environments. These vulnerabilities can be triggered when accessing a linear or logical address that is not mapped to a physical location on the hardware resulting in a Terminal Fault.

So what difference does it make?

Spectre and Meltdown opened a broad discussion in regards to the current state of security and their implications. With the remarkably large number of systems vulnerable to speculative execution attacks, and the closing gap between Proofs of Concepts and weaponization, it’s imperative for security teams and companies collaborate to keep an eye on and be aware of the evolution of these threats.

Speculative Execution vulnerabilities not only affect microprocessor manufacturers, but the whole security community. Some of the discovered vulnerabilities will not be fully patched until new architectures are developed and deployed, which will take a few years to happen. More vulnerabilities will be discovered in the upcoming months and years expanding on the current attack vectors.

Why is this important?

  • The Spectre and Meltdown vulnerabilities affect a very large number and wide range of devices, including computers, mobile devices and servers. Given the widespread nature, it is certain all affected systems will never be actually patched.
  • These classes of vulnerabilities are not going away anytime soon. While some of these vulnerabilities have been mitigated by software patches provided by different vendors, this has come at the cost of performance, and, in some cases, holistic fixes have required architectural changes.
  • New, but related vulnerabilities will be discovered, unveiling novel types of attacks that might not be possible to patch via software alone.

What you can do…

Keeping up to date with information on new vulnerabilities and mitigating them via software patches or microcode provides a first line of defense.

Knowing how you are exposed can help to manage and mitigate risks associated with vulnerabilities. By visualizing, analyzing and measuring cyber risk, one can confidently manage and reduce it to an acceptable level.

Security teams must become proactive to close the gap between the publication of a new vulnerability and becoming aware that it is present in their ecosystem. As per Tenable Research’s report on the Attacker’s Advantage, 34% of the analyzed vulnerabilities had an exploit available on the day they were disclosed. Teams willing to protect their organization’s infrastructure can be a step ahead of the curve and reduce the seveday window of opportunity attackers have to exploit a given vulnerability.

On our part, we will keep you updated on the saga of speculative side channel vulnerabilities as things evolve. Stay tuned!

Learn more:

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.