Spectre CPU Vulnerability

A hardware vulnerability in the way all modern central processing units (CPU) implement speculative execution may allow an unauthorised user to access the memory space of a privileged process.

Threat ID:: CC-1912
Threat Severity:: Medium
Published:: 9 January 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A hardware vulnerability in the way all modern central processing units (CPU) implement speculative execution may allow an unauthorised user to access the memory space of a privileged process.

Threat details

This vulnerability is exploitable on all operating systems (OS) and affects all major computer hardware and cloud infrastructure vendors.

Speculative execution is an optimisation technique used to increase CPU performance by predicting likely future execution paths and executing them prematurely. This may result in a process being executed incorrectly, however, processors are designed to revert the results of an incorrect execution. If the predicted instructions were not needed they are discarded, typically to the cache before being removed completely, otherwise they are committed and yield a significant performance gain.

Spectre attempts to trick the CPU into speculatively executing instructions that should not have been executed during normal operation. These must be carefully selected based on the target process and are known as transient instructions. Once the processor reverts the erroneous instructions, the memory or register contents of the process are leaked through a covert channel. This channel can be chosen by the attacker but has been demonstrated using a cache-based channel similar to that used in the Meltdown exploit. Spectre has been demonstrated using native code or JavaScript on Intel, AMD and ARM micro-architectures.

Whilst being announced simultaneously and appearing to be similar vulnerabilities, Spectre differs from Meltdown in that it applies to a wider range of processors and requires tailoring to the targeted process's software environment to be affected. It is also not mitigated by the KAISER KASLR workaround.

For further information and technical analysis:

Threat updates

Date	Update
1 Apr 2021	New vulnerabilities in Linux-based operating systems New vulnerabilities in Linux-based operating systems could let attackers circumvent mitigations for speculative attacks such as Spectre and obtain sensitive information from kernel memory. This vulnerability impact all Linux kernels prior to 5.11.8. Patches for the security issues were released on March 20, 2021 with Ubuntu, Debian, and Red Hat deploying fixes for the vulnerabilities in their respective Linux distributions. The new vulnerabilities uncovered bypass mitigations in Linux by taking advantage of the kernel's support for extended Berkeley Packet Filters (eBPF) to extract the contents of the kernel memory. An attacker could exploit these vulnerabilities to take control of an affected system.
15 Feb 2018	Update Detail of new exploits that target the Meltdown and Spectre vulnerabilities have been published. A team of researchers has produced an research paper outlining two new proof-of-concept exploit, MeltdownPrime and SpectrePrime, that used an unreleased tool to trigger the vulnerabilities. Details of the exploits can be found here.

Date

Update

1 Apr 2021

New vulnerabilities in Linux-based operating systems

New vulnerabilities in Linux-based operating systems could let attackers circumvent mitigations for speculative attacks such as Spectre and obtain sensitive information from kernel memory. This vulnerability impact all Linux kernels prior to 5.11.8. Patches for the security issues were released on March 20, 2021 with Ubuntu, Debian, and Red Hat deploying fixes for the vulnerabilities in their respective Linux distributions.

The new vulnerabilities uncovered bypass mitigations in Linux by taking advantage of the kernel's support for extended Berkeley Packet Filters (eBPF) to extract the contents of the kernel memory. An attacker could exploit these vulnerabilities to take control of an affected system.

15 Feb 2018

Update

Detail of new exploits that target the Meltdown and Spectre vulnerabilities have been published. A team of researchers has produced an research paper outlining two new proof-of-concept exploit, MeltdownPrime and SpectrePrime, that used an unreleased tool to trigger the vulnerabilities.

Details of the exploits can be found here.

Remediation steps

Type	Step
	All vendors have released or have planned patches to remediate Spectre, however the potential impact and wide range of affected platforms means that these patches are subject to change. It has been suggested that disabling speculative execution would prevent Spectre attacks, however this would significantly impact performance. Patches should be applied in the following priority based on possible impact: Hypervisors and other virtualisation or containerisation systems. Web browsers Desktop devices Personal or mobile devices All other systems should be patched using your standard process. A list of vendor information is given below. Note: this list may not be current or comprehensive. Amazon AMD Android Apple ARM CentOS Chromium Cisco Citrix Debian Dell F5 Fedora Google Google Project Zero HP Huawei IBM Intel Lenovo Linux McAffee Microsoft Microsoft Azure Mozilla NVIDIA OpenSuSE Red Hat RISC-V SuSE Synology Trend Micro Ubuntu VMware Xen Update 19 Jan 2018 The media attention surrounding the Meltdown and Spectre vulnerabilites poses an opportunity for attackers, providing new delivery vectors and social engineering methods. Fraudulent updates have been observed that claim to remediate these vulnerabilites. These patches are being used as an infection path for other malware, such as Smoke Loader, and do not fix or mitigate the vulnerabilites. It is likely that there will be further instances of this as organisations look to patch in the coming months Users are reminded that only vendor-issued patches are able to remediate Meltdown and Spectre. Update 23 Jan 2018 New guidance has been issued by Intel recommending users to cease deployment of patches related to Meltdown and Spectre. It has been discovered that these updates were causing unstable boot behaviour on affected devices and Intel has now removed all available patches until they can rectify this issue. More information can be found here. Update 01 Mar 2018 Intel have released new microcode for select Broadwell and Haswell chips. More information can be found here. Update 06 Mar 2018 Intel have confirmed a new update, scheduled for release between 14th and 16th March 2018, will prevent an SgxPectre attack. The attack can also be mitigated by the indirect branch restricted speculation (IBRS) fix provided by Intel in an update to the Spectre variant 2 mircocode. Update 27 Apr 2018 Microsoft have released two new Windows Update package (KB4091666 and KB4078407) aimed at addressing a number of Spectre-related vulnerabilities. The updates can be found at the following links: KB4091666 KB4078407 Update 17 Jul 2018 Security researchers have published an algorithm to detect processes attempting to execute Spectre attacks. Known as oo7, the researchers claim it is able to detect Spectre-based exploits with a better success rate than Microsoft's C/C++ compiler. For further information: oo7: Low-overhead Defense against Spectre Attacks research paper (Wang et al, 2018) oo7 Spectre Detection Algorithm example 17/07/2018 Update 23 Jul 2018 A group of security researcher have released a series of mitigation mechanism. The group claim the fixes, known collectively as ELFbac, address most attack using the Spectre Variant 1 exploit (CVE-2017-5753). Update 23 Aug 2018 Microsoft has released four new updates to address various Spectre variants. For further information: KB4346084 KB4346086 KB4346087 KB4346088 Update 27 Sep 2018 Intel has started to release microcode updates to address Spectre 3 and 4. Updates will usually be distributed via operating system and motherboard vendors.

Type

Step

All vendors have released or have planned patches to remediate Spectre, however the potential impact and wide range of affected platforms means that these patches are subject to change. It has been suggested that disabling speculative execution would prevent Spectre attacks, however this would significantly impact performance.

Patches should be applied in the following priority based on possible impact:

Hypervisors and other virtualisation or containerisation systems.
Web browsers
Desktop devices
Personal or mobile devices

All other systems should be patched using your standard process.

A list of vendor information is given below. Note: this list may not be current or comprehensive.

Update 19 Jan 2018

The media attention surrounding the Meltdown and Spectre vulnerabilites poses an opportunity for attackers, providing new delivery vectors and social engineering methods. Fraudulent updates have been observed that claim to remediate these vulnerabilites. These patches are being used as an infection path for other malware, such as Smoke Loader, and do not fix or mitigate the vulnerabilites. It is likely that there will be further instances of this as organisations look to patch in the coming months

Users are reminded that only vendor-issued patches are able to remediate Meltdown and Spectre.

Update 23 Jan 2018

New guidance has been issued by Intel recommending users to cease deployment of patches related to Meltdown and Spectre. It has been discovered that these updates were causing unstable boot behaviour on affected devices and Intel has now removed all available patches until they can rectify this issue.

More information can be found here.

Update 01 Mar 2018

Intel have released new microcode for select Broadwell and Haswell chips.

More information can be found here.

Update 06 Mar 2018

Intel have confirmed a new update, scheduled for release between 14th and 16th March 2018, will prevent an SgxPectre attack. The attack can also be mitigated by the indirect branch restricted speculation (IBRS) fix provided by Intel in an update to the Spectre variant 2 mircocode.

Update 27 Apr 2018

Microsoft have released two new Windows Update package (KB4091666 and KB4078407) aimed at addressing a number of Spectre-related vulnerabilities. The updates can be found at the following links:

Update 17 Jul 2018

Security researchers have published an algorithm to detect processes attempting to execute Spectre attacks. Known as oo7, the researchers claim it is able to detect Spectre-based exploits with a better success rate than Microsoft's C/C++ compiler.

For further information:

Update 23 Jul 2018

A group of security researcher have released a series of mitigation mechanism. The group claim the fixes, known collectively as ELFbac, address most attack using the Spectre Variant 1 exploit (CVE-2017-5753).

Update 23 Aug 2018

Microsoft has released four new updates to address various Spectre variants.

For further information:

Update 27 Sep 2018

Intel has started to release microcode updates to address Spectre 3 and 4. Updates will usually be distributed via operating system and motherboard vendors.

CVE Vulnerabilities

CVE-2017-5715

CVE-2018-3640

CVE-2018-3639

CVE-2018-3693

CVE-2017-5754

CVE-2017-5753

Status Published

CVE-2020-27170

Status Published

CVE-2020-27171

Last edited: 1 April 2021 3:10 pm