NetSpectre vuln allows remote Spectre exploitation

July 27, 2018 // 10:46 a.m.

Tags: #daniel-gruss #data-exfiltration #flaw #insecurity #meltdown #netspectre #security #spectre #speculative-execution #vulnerability

Companies: #graz-university-of-technology #intel

Researchers from the Graz University of Technology, including one of the team who originally uncovered the Meltdown vulnerability, have disclosed details on how speculative execution flaws in modern processors can be used to read arbitrary memory locations over a network - without the need to have local access to the target device.

The Spectre and Meltdown family of security vulnerabilities, stemming from features added to the majority of modern processors as a means of boosting performance, should need little introduction at this point: First publicly announced back in January and the source of considerable heartache for Intel, the original suite of vulnerabilities has since been joined by SpectreNG, Spectre Variant 4, Spectre Variant 1.1 and Variant 1.2, and SpectreRSB.

All these vulnerabilities have one thing in common, though: They require that attack code is run on the target system. While this can be as simple as tricking the user into visiting a malicious website using an unpatched browser or previously-undiscovered zero day, the latest in the string of speculative execution related vulnerabilities requires no such interaction.

Published by Daniel Gruss, one of the researchers who discovered and documented the related Meltdown vulnerability, and colleagues from the Graz University of Technology, NetSpectre weaponises Spectre in a new way: The target system can be exploited and arbitrary memory locations, containing anything from plain-text passwords to secret encryption keys, read remotely via a network connection.

'NetSpectre marks a paradigm shift from local attacks, to remote attacks, exposing a much wider range and larger number of devices to Spectre attacks,' the team write in their paper on the vulnerability. 'Spectre attacks now must also be considered on devices which do not run any potentially attacker-controlled code at all. We show that especially in this remote scenario, attacks based on weaker gadgets which do not leak actual data, are still very powerful to break address-space layout randomization remotely. Several of the Spectre gadgets we discuss are more versatile than anticipated. In particular, value-thresholding is a technique we devise, which leaks a secret value without the typical bit selection mechanisms.'

While the news that an in-silicon vulnerability can be remotely exploited to exfiltrate data is undeniably bad, there's light on the horizon: Intel, which was informed of the flaw in late March, explains that the same protections in place against Spectre itself are effective against NetSpectre, meaning that systems patched against Spectre should already be safe against its network-oriented variant.

'NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate,' an Intel spokesperson explains of the company's investigation into the vulnerability. 'We provide guidance for developers in our whitepaper, Analysing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, & Stefan Mangard of Graz University of Technology for reporting their research.'

The team's paper on NetSpectre is available from Gruss' website (PDF warning).

Discuss this in the forums


Week in review