News for Admins
Tech News
One Spectre/Meltdown Flaw for Every Day of the Week
A team of researchers has found seven new Spectre/Meltdown flaws. In a paper, the researchers wrote: "… we present a sound and extensible systematization of transient execution attacks. Our systematization uncovers 7 (new) transient execution attacks that have been overlooked and not been investigated so far."
These flaws include two new Meltdown variants: Meltdown-PK on Intel, and Meltdown-BR on Intel and AMD. The rest of the five flaws were related to Spectre.
"We evaluate all 7 attacks in proof-of-concept implementations on 3 major processor vendors (Intel, AMD, ARM)," the authors said in the paper. "Through this systematic evaluation, we discover that we can still mount transient execution attacks that are supposed to be mitigated by rolled out patches."
The team also suggested mitigation possibilities. "Transient execution attacks use a covert channel to transfer the microarchitectural state change induced by the transient instruction sequence such that it can be observed on an architectural level. One approach in mitigating Spectre-type attacks is to reduce the accuracy." https://arxiv.org/pdf/1811.05441.pdf
Bleedingbit: Two New Bluetooth Vulnerabilities
Armis, a firm focused on Internet of Things (IoT) security, has discovered two new vulnerabilities dubbed Bleedingbit in BLE (Bluetooth Low Energy) chips made by Texas Instruments (TI).
The first vulnerability (cc2640, cc2650) affects the BLE chips used in Cisco and Meraki WiFi access points. If exploited, the proximity-based vulnerability triggers a memory corruption in the BLE stack, which could allow attackers to compromise the main system of the access point – thereby gaining full control over it.
The second vulnerability (cc2540) affects the Aruba WiFi access point Series 300. The device uses a TI BLE chip for over-the-air (OTA) firmware updates. Armis said that the issue is technically a backdoor in BLE chips that was designed to allow firmware updates.
"The 'Bleedingbit' vulnerabilities endanger enterprises using vulnerable access points in their networks. Beyond access points, the health sector is potentially affected by these vulnerabilities, because the affected BLE chips are used in many medical devices, such as insulin pumps and pacemakers. Even private users might be affected by the vulnerabilities if they use an IoT device that embeds one of the vulnerable chips," said Armis in a blog post. https://armis.com/bleedingbit/
According to Armis, these BLE chips are used widely in devices manufactured by players that include Cisco, Meraki, and Aruba.
An attacker can exploit these proximity-based vulnerabilities to gain access to the enterprise network. "Once an attacker takes control over an access point, they can move laterally between network segments and create a bridge between them – effectively breaking network segmentation," wrote Armis in the blog post.
Armis notified TI, and the chip maker has already released security patches. Device manufacturers, Cisco, Meraki (owned by Cisco), and Aruba have released pushed updates to their devices.
Intel Chips Smashed by PortSmash
Intel and AMD are not getting any breaks from chip-level vulnerabilities. A team of researchers from the Tampere University of Technology (Finland) and Technical University of Havana (Cuba) has found a new vulnerability in Intel processors. Dubbed PortSmash (CVE-2018-5407), the exploit allows an attacker to steal sensitive data, including passwords and cryptographic keys.
This time the exploit is found in a side-channel in Intel's hyperthreading technology. Simultaneous multithreading (SMT) is used for improving the efficiency of CPUs with hardware multithreading.
The exploit affects two of the most popular Intel platforms, Kaby Lake and Skylake, which power most modern PCs, including laptops, desktops, and servers. All of these devices are vulnerable to attacks.
In a security advisory, Red Hat said, "This is a flaw in the Intel processor execution engine sharing on SMT (e.g., Hyper-Threading) architectures. It can result in leakage of secret data in applications such as OpenSSL that has secret dependent control flow at any granularity level. In order to exploit this flaw, the attacker needs to run a malicious process on the same core of the processor as the victim process." https://access.redhat.com/security/cve/cve-2018-5407
Hardware-related vulnerabilities make it more difficult for OS vendors to fix issues because of the surrounding secrecy. At times, software vendors, including communities like Linux, have to work under non-disclosure agreements (NDAs), which makes it difficult to get a wide range of experts involved to solve such issues and ensure some transparency. Earlier, Intel was criticized for hiding the Spectre and Meltdown vulnerabilities for months.
While the vulnerability was discovered for Intel chips, in an email to Ars Technica, one of the researchers said they strongly suspect AMD Ryzen architectures, also with SMT, are vulnerable, "but we leave that for future work." One of the reasons AMD chips were not verified is that the research team didn't have AMD hardware to test.
Buy this article as PDF
(incl. VAT)