NetSpectre Attack Could Enable Remote CPU Exploitation

Researchers have discovered a method that could potentially enable an attacker to use the Spectre CPU vulnerabilities over a remote network connection.

Meltdown, Spectre Chip Flaws

Researchers from Graz University in Austria released new research on July 26 detailing how the Spectre CPU speculative execution vulnerability could be used over a remote network.

In a 14-page report, the researchers dubbed their attack method NetSpectre, which can enable an attacker to read arbitrary memory over a network. Spectre is the name that researchers have given to a class of vulnerabilities that enable attackers to exploit the speculative execution feature in modern CPUs. Spectre and the related Meltdown CPU vulnerabilities were first publicly disclosed on Jan. 3.

"Spectre attacks require some form of local code execution on the target system," the Graz University researchers wrote. "Hence, systems where an attacker cannot run any code at all were, until now, thought to be safe."

With NetSpectre, the researchers detail a novel, albeit slow, approach to remotely exploiting Spectre on a vulnerable system. According to the researchers, the NetSpectre attack method can leak information at a rate of 15 bits per hour.

Multiple variants and related attack approaches have been reported since the initial Spectre and Meltdown vulnerabilities were disclosed in January. Among the most recently reported variants are a pair of additional variants on May 21. To date, though, all prior variants of Spectre and Meltdown have required an attacker to first get local access to a vulnerable system.

"NetSpectre marks a paradigm shift from local attacks, to remote attacks, exposing a much wider range and larger number of devices to Spectre attacks," the researchers wrote. "Spectre attacks now must also be considered on devices which do not run any potentially attacker-controlled code at all."

The researchers reported the NetSpectre attack method to Intel, which claims that issue has already been mitigated in the firmware updates the chip maker made available for the CVE-2017-5753 Spectre variant attack.

"NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner—through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate," Intel wrote in a statement. "We provide guidance for developers in our whitepaper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, and Stefan Mangard of Graz University of Technology for reporting their research."

Industry Reaction

Security experts contacted by eWEEK had mixed views about the impact of the NetSpectre disclosure.

"Although, in practice, the threat of this new evolution of the Spectre vulnerability being exploited is low, it is something to continue watching," Dan Hubbard, chief security architect at Lacework, told eWEEK. "Researchers continue to find flaws that could potentially lead to remote code execution in the future, and security companies and practitioners need to continue to keep up-to-date with the latest research and mitigation techniques."

Brajesh Goyal, vice president of engineering at Cavirin, said NetSpectre does in fact introduce a new, quite sophisticated attack vector for Spectre exploitation. In his view, the best practices to defend against the threat are to ensure proper patching and multilayer security. 

Chris Morales, head of security analytics at Vectra, said that it's good news that existing mitigation techniques for Spectre also apply to NetSpectre. 

"The bad news is this is proof of research into new methods that Spectre can be used for an attack, and I'm sure there will be many more methods exposed over time," Morales told eWEEK. "We are not in the clear on the Spectre attack, nor will we be for quite some time." 

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.