Critical Vulnerability in Intel CPUs Being Compared with Heartbleed

Over the last two days, the InfoSec community has been rocked by news of a yet unnamed critical vulnerability affecting several generations of Intel CPUs. The vulnerability is due to be announced on January 9 but till then many researchers have compared the vulnerability to the now infamous Heartbleed bug. Heartbleed affected the OpenSSL library “heartbeat” which essentially lets one computer tell the other computer, “I am here. Don't close this session. I am thinking.” The heartbeat system has one computer establish a secure connection with another and send an incoming request data packet. The second computer will then copy that request into a reply packet and sends it back to confirm the connection is working and valid. The vulnerability is a memory buffer overflow, where if the machine receives fewer packets than it is expecting to receive, it randomly grabs bits of information from memory to pad out the response to the correct size. In an attack scenario, the vulnerability could have been exploited on high traffic websites to access usernames and passwords of users who had just logged on.

What is known about the Critical Vulnerability

While an attack exploiting the Heartbleed vulnerability depended a lot on timing researchers believe the latest CPU vulnerability will allow for a far more practical attack. The existence of the vulnerability was discovered when the kernel page table isolation (KPTI) in Linux was introduced. Both Windows and MacOS are incorporating similar features. The consensus among researchers is that Intel will not be able to find an easy fix, and the fix will not seem to be possible by applying it directly to their processors.

critical intel cpu vulnerability

KPTI is a hardening technique designed to improve security by isolating the kernel space from user space memory. Without KPTI enabled, whenever executing user-space code, Linux would also keep its entire kernel memory mapped in page tables, although protected from access. The advantage is that when the application makes a system call into the kernel or an interrupt is received, kernel page tables are always present, and so most context switching-related overheads, such as TLB flush and page-table swapping, can be avoided. KPTI is based on the KAISER system developed last year by a team of researchers at the Graz University of Technology in Austria. In summary, the KAISER system brings improvements to address space layout randomization (ASLR), a mitigation designed to prevent control-flow hijacking and code injection attacks.

While the details concerning the vulnerability can only be speculated about, many believe this vulnerability to be associated with research published in July 2017. Researcher Anders Fogh shared some thoughts on how it may be possible to read kernel memory from an unprivileged process via speculative execution. Fogh was unable to successfully prove his position but the idea did gain a lot of traction within the community. It is believed that researcher at Graz University have found a way to make Fogh’s concept work. Gaining access to the kernel space poses serious risks as this memory can include highly sensitive information.

AMD Processors not Susceptible or Are They?

An AMD representative explained, “AMD processors are not subject to the types of attacks that the kernel
page table isolation feature protects against. The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault,”. However, BBC News reported that AMD, Arm, and Intel are all affected. Labelled as “Spectre” by many in the media, the vulnerability is reported to affect all major processor manufacturers. The report also mentioned another vulnerability called “Meltdown” only affects Intel processors.

In a conference call with investors, it has been reported that experts at Intel had shown that hackers could exploit the Meltdown vulnerability, gaining the ability to read memory and potentially access information such as passwords or encryption keys on devices. This has led Microsoft and Apple to work on and release security updates shortly. Spectre, however, experts believe that it will be much harder to patch and no one has yet to announce a security update to be released or has been released as of yet. One can only hope that the confusion behind the vulnerability, or vulnerabilities, is cleared up before January 9 to put the community at ease.

Cloud Services Expected to be Hardest Hit

One of the major worries is the impact the vulnerability will have on Cloud services. Microsoft, Amazon, and Google are apparently impacted by the Intel hardware vulnerability. Amazon Web Services (AWS) and Microsoft Azure have informed customers of upcoming security updates that will require a reboot of their cloud instances. In a recent blog post by Python Sweetness, it has been speculated that the flaw could allow privilege escalation attacks against hypervisors.

As to whether a serious flaw will result in mass exploitations by hackers, only time will tell. Given the response so far of the community at large as well as the companies involved the flaw is indeed serious. Google and their Project Zero research team have released a blog detailing their discoveries of the vulnerability to date. In the blog, it was stated:

“The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible.”

They have deemed this method of attack to be serious enough to mobilize the development teams of numerous departments to work at to defend Google’s systems and our users’ data. The flaw prompted Google to release the blog before the January 9 coordinated disclosure of the vulnerability. Google cited the following as its reason for posting before the agreed upon date:

“We are posting before an originally coordinated disclosure date of January 9, 2018, because of existing public reports and growing speculation in the press and security research community about the issue, which raises the risk of exploitation.”

Many investors and shareholders may be holding their breath until the aforementioned date.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal