The ongoing saga of the Spectre and Meltdown vulnerabilities has just taken a new turn. Discovered by Google Project Zero (GPZ) and Microsoft, the new variants affect everything from desktops, laptops and mobile devices to infrastructure-as-a-service. These flaws are present in nearly all modern microprocessors and could allow an attacker to steal sensitive information by accessing privileged memory as a result of abusing a feature called speculative execution. We’ve been following the ongoing developments of these vulnerabilities from their first disclosure back in January 2018 and have released coverage to help keep our customers secure based on previous developments. The vulnerability has continued to evolve – variants of Spectre have surfaced that utilize speculative execution side-channel attack methods and have been assigned CVE-2018-3639 as well as CVE-2018-3640.
The new derivatives are called Variant 3a (Rogue System Register Read (RSRE)) and Variant 4 (Speculative Store Bypass) and were discovered and jointly disclosed by GPZ and Microsoft's Security Response Center (MSRC).
According to CERT, Side-Channel Vulnerability Variants 3a and 4 may allow an attacker to access sensitive information on affected systems. When the original Spectre and Meltdown vulnerabilities were disclosed, many companies like Intel, Red Hat and Microsoft issued updates to patch the issues. However, the fixes haven't always worked as intended, and some customers experienced performance as well as other issues when they applied the patches.
This time around, Intel has delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors. This mitigation has been set to off by default, providing their customers the choice of whether to enable it. With the configuration set to off, they have observed no performance impact. However, if enabled, they observed a performance impact of approximately two to eight percent based on overall scores for benchmarks. They expect it will be further released into production BIOS and software updates over the coming weeks by various vendors.
Intel is classifying Variant 3a as a medium-risk vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information.
Intel is classifying Variant 4 as a medium-risk vulnerability that exploits “speculative bypass.”
When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. Many of the exploits it uses were fixed in the original set of patches for Spectre and Meltdown. This makes real-world exploitation of these issues harder.
Intel has stated they haven’t received any reports of this method being used in real-world exploits. In addition, mitigation techniques that were deployed for Variant 1 back in January can also be applied to Variant 4, which are already available. Additionally, Intel and its partners will be providing a combination of microcode and software updates for mitigating Variant 4.
Red Hat’s VP of the operating system platform, Denise Dumas, issued a statementsaying: “These vulnerabilities could allow a malicious actor to steal sensitive information from almost any computer, mobile device, or cloud deployment. Importantly, several technology industry leaders, including Red Hat, have worked together to create patches that correct this issue, underscoring the value of industry collaboration. It is key that everyone -- from consumers to enterprise IT organizations -- apply the security updates they receive. Because these security updates may affect system performance, Red Hat has included the ability to disable them selectively in order to better understand the impact on sensitive workloads.”
Urgently required actions
Refer to hardware and software vendors for patches or microcode and deploy as soon as they are available.
Tenable Research is monitoring the situation and will release coverage as required to help keep our customers secure.
Identifying affected systems
- Refer to hardware and software vendors’ releases.
Get more information
- Intel Tech Release
- Microsoft Security Release
- Red Hat Tech Release
- Red Hat Speculative Store Bypass
- Learn more about Tenable.io®, the first Cyber Exposure platform for holistic management of your modern attack surface
- Get a free 60-day trial of Tenable.io Vulnerability Management
Editor's Note: This post was edited for accuracy on May 23, 2018.