Two new variants of the Spectre and Meltdown side-channel vulnerabilities were publicly disclosed on May 21, impacting CPUs from multiple vendors, including Intel and ARM.
The two vulnerabilities—CVE-2018-3640, identified as Rogue System Register Read, and CVE-2018-3639, identified as Speculative Store Bypass—could potentially enable an attacker to read arbitrary system memory on a vulnerable system.
“Security researchers identified two software analysis methods that, if used for malicious purposes, have the potential to improperly gather sensitive data from multiple types of computing devices with different vendors’ processors and operating systems,” Intel stated in an advisory. “We worked closely with other technology companies and several operating system and system software vendors, developing an industry-wide approach to mitigate these issues promptly.”
The new attacks are related in nature to the Spectre and Meltdown side-channel vulnerabilities that were first publicly reported on Jan. 3. Google Project Zero researcher Jan Horn, who was among those credited with discovering Meltdown and Spectre, also reported the new flaws, along with Microsoft.
While the CVE-2018-3640 vulnerability is considered to be a variant of one of the previously disclosed Spectre vulnerabilities, the CVE-2018-3639 Speculative Store Bypass issue is something different, according to Christopher Robinson, manager of Product Security Assurance at Red Hat:
“Meltdown (CVE-2017-5754) and Spectre (CVE-2017 -5715 , CVE-2017-5753) were vulnerabilities that used side-channel attacks to leverage an exploit during speculative execution that possibly allows an attacker to read memory accessible by the kernel, which by default is all physical memory,” Robinson told eWEEK. “CVE-2018-3639 similarly deals with memory speculation, but instead works through the exploitation of store buffers that can allow older values of memory to be visible to an attacker.”
Remediation
Leslie Culberston, executive vice president and general manager of Product Assurance and Security at Intel, commented in a blog post that Intel has not seen any reports of the new attack methods being used in real-world exploits.
“Moreover, there are multiple ways for consumers and IT professionals to safeguard their systems against potential exploits, including browser-based mitigations that have already been deployed and are available for use today,” she wrote.
In the aftermath of the Meltdown and Spectre attacks, Intel released firmware updates for some of its chips, and vendors of operating systems including both Microsoft Windows and Linux distributions released updates as well. Browser vendors including Microsoft, Apple and Mozilla have had mitigations in place since January that Culbertson said can help to limit the risk of the new issues as well, though she noted that new firmware updates are also coming from Intel. The additional firmware update comes, however, with a performance impact of 2 to 8 percent, according to Intel.
“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks,” Culberston said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.