Intel hit with another attack (SWAPGS)

[LukeSavenije]

Sources: @valdyrgramr, overclock3d

 

Researchers over at Bitdefender have uncovered a new side-channel attack which impacts Intel x86 processors from Sandy Bridge (2011) and up. This new Speculative Execution attack is called SWAPGS, and has been designated the CVE-2019-1125 name. 

 

Quote

Bitdefender has claimed that it has "worked with Intel for more than a year" before publically disclosing this new attack, stating that "the SWAPGS Attack affects newer Intel CPUs that use speculative execution". Red Hat has additionally claimed that vulnerability applies to x86-64 systems which use "either Intel or AMD processors". 

SWAPGS allows attackers to gain access to information that's stored in kernel memory, which could extend to passwords, encryption keys and other pieces of important information. This vulnerability is said to only be available to local attackers, with the Linux OS being considered more secure from the vulnerability than Windows. 

Users of Windows 10 should update their OS to ensure that their systems remain secure. On July 9th, Microsoft released an OS update that's designed to mitigate the effects of SWAPGS by changing how processors speculatively access memory. 

 

Quote

AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1.

 

[Princess Luna]

Again, another local access only exploit that 99% of people don't have to worry about and likely would be better without the performance penalty from rushed mitigations.

[Levent]

Jayzuz fuck, 2 more years and my 3570K will perform worse than a Netburst Pentium 4. 

[Ashley MLP Fangirl]

laughs in AMD

 

wait, my laptop is intel... shit. 

 

cries in intel

[Juniiii]

Shintel

[Tristerin]

YUS more Intel FX processors!  They share vulnerabilities, not Floating Point Units however.

[tech.guru]

https://www.forbes.com/sites/daveywinder/2019/08/06/microsoft-confirms-new-windows-cpu-attack-vulnerability--advises-all-users-to-update-now/#69ee6f1e73f8

 

"We call this the SWAPGS attack because the vulnerability leverages the SWAPGS instruction," Bogdan Botezatu, director of threat research and reporting at Bitdefender, says "an under-documented instruction that makes the switch between user-owned memory and kernel memory." Botezatu also says that, at this point, "all Intel CPUs manufactured between 2012 and today are vulnerable to the SWAPGS attack." Which means every Intel chip going back to the "Ivy Bridge" processor is vulnerable if inside a machine running Windows.

 

but see, 

"I don’t think this is going to be leveraged into a Wannacry or Notpetya level of attack," Thornton-Trump says, "and I don’t think it will be adopted by cyber-criminals with financial motivations." These are the sort of vulnerabilities that “Government Cloud” and “Military Mega-Cloud” projects should be aware of, according to Thornton-Trump.  “For people with sensitive data in virtual environments these sorts of exploits need to be considered in the threat model,” he concludes, “for the rest of us, we have far worse issues to deal with.”

 

 

[SPARTAN VI]

46 minutes ago, Princess Luna said:

Again, another local access only exploit that 99% of people don't have to worry about and likely would be better without the performance penalty from rushed mitigations.

Can you elaborate on this? I presume "local access" does not mean "physical access" to the machine?

[Princess Luna]

6 minutes ago, SPARTAN VI said:

Can you elaborate on this? I presume "local access" does not mean "physical access" to the machine?

It does, either the machine itself or in some cases the local network it is on, either ways someone in Russia won't be able to "hack" you in California using this.

[SPARTAN VI]

6 minutes ago, Princess Luna said:

It does, either the machine itself or in some cases the local network it is on, either ways someone in Russia won't be able to "hack" you in California using this.

Why does it require "physical access" to the machine? Of the two articles I've read, both mention the requirement to run a specifically crafted application. If the attack vector is to run the exploit's software, I don't see why "physical access" is necessary. Maybe by "local access" they mean, local admin rights? 

[WereCatf]

3 minutes ago, SPARTAN VI said:

I don't see why "physical access" is necessary

It isn't, @Princess Luna is incorrect. Only the ability to run code at the target is required, whether it is by physical access or by e.g. tricking the target's owner to run malicious executable.

[Master Disaster]

36 minutes ago, gabrielcarvfer said:

Meltdown, Spectre, Zombieload, Spoiler, Foreshadow, SWAPGS, RIDL and Fallout (MDS), ...

 

Yeah, it's almost like when one major vulnerability is found everyone else starts probing the same area to look for more.

[pas008]

3 minutes ago, Master Disaster said:

Yeah, it's almost like when one major vulnerability is found everyone else starts probing the same area to look for more.

battle royale  mode for security lol

[Princess Luna]

9 minutes ago, WereCatf said:

It isn't, @Princess Luna is incorrect. Only the ability to run code at the target is required, whether it is by physical access or by e.g. tricking the target's owner to run malicious executable.

Oh yes because we're still on the days of downloading shady content from shady spam emails.... circles eyes

[WereCatf]

1 minute ago, Princess Luna said:

Oh yes because we're still on the days of downloading shady content from shady spam emails.... circles eyes

Are you trying to imply that that doesn't happen?

[SPARTAN VI]

3 minutes ago, Princess Luna said:

Oh yes because we're still on the days of downloading shady content from shady spam emails.... circles eyes

 

1 minute ago, WereCatf said:

Are you trying to imply that that doesn't happen?

If that's the most obvious attack vector, I could see an uncautious user grabbing an infected application via torrent. How many thousands of people download bootlegged games and applications (e.g. Photoshop) every day? Is it not feasible for a black hat to seed an infected variant of those applications? 

[Emberstone]

I still haven't updated my BIOS to patch the S/M vulnerabilities. I paid good money for that ~10% performance, damnit, and I'm going to keep it. Personally IDGAF about these vulnerabilities because not being an idiot on the Internet or my network hasn't failed me for decades.

[WereCatf]

1 minute ago, SPARTAN VI said:

If that's the most obvious attack vector, I could see an uncautious user grabbing an infected application via torrent. How many thousands of people download bootlegged games and applications (e.g. Photoshop) every day? Is it not feasible for a black hat to seed an infected variant of those applications? 

People are constantly downloading random shit, including Excel-files and whatnot being sent to them, whether it is by instant-messages, Facebook-posts, email etc. All one has to do is look at any recent security breach news and the most likely reason it happened is because someone downloaded and executed something they shouldn't have.

[pas008]

15 minutes ago, WereCatf said:

People are constantly downloading random shit, including Excel-files and whatnot being sent to them, whether it is by instant-messages, Facebook-posts, email etc. All one has to do is look at any recent security breach news and the most likely reason it happened is because someone downloaded and executed something they shouldn't have.

only takes 1 for security risk on the network right?

[TopHatProductions115]

I wonder if x58 Xeons are affected

[spartaman64]

35 minutes ago, Princess Luna said:

Oh yes because we're still on the days of downloading shady content from shady spam emails.... circles eyes

thats exactly how wannacry infects comuputers/local networks

[LukeSavenije]

1 hour ago, TopHatProductions115 said:

I wonder if x58 Xeons are affected

in theory they're not

 

but you never know...

[Brooksie359]

1 hour ago, WereCatf said:

People are constantly downloading random shit, including Excel-files and whatnot being sent to them, whether it is by instant-messages, Facebook-posts, email etc. All one has to do is look at any recent security breach news and the most likely reason it happened is because someone downloaded and executed something they shouldn't have.

True but I trust myself to not be easily fooled by something like that. Also I am the only one on my network so unless I mess up I won't be vulnerable. I dont get why people download things unless its nessisary and comes from secure source. 

[MageTank]

2 hours ago, Princess Luna said:

Oh yes because we're still on the days of downloading shady content from shady spam emails.... circles eyes

We are. There are still people falling for fake tech support scams. There is a reason that particular market is still around. Plenty of uneducated elderly users as well as younger kids will likely fall prey to these attacks as they do virtually every other malicious online exploit.

 

There is an old saying that goes "If you make something idiot-proof, they'll build a better idiot". It's applicable here.

[Dabombinable]

7 hours ago, Levent said:

Jayzuz fuck, 2 more years and my 3570K will perform worse than a Netburst Pentium 4. 

That's...a long way to fall: