Critical chip flaw affects Intel, AMD and ARM

Google’s Project Zero researchers have broken an agreed embargo to lay bare details of a serious CPU vulnerability affecting multiple chipmakers’ products and the devices and operating systems running on them.

The early disclosure - the first confirmed details of the security issue - came as speculation heightened of a massive CPU hardware bug that was initially thought to only affect Intel products.

It has now become clear that chips from AMD and ARM are also affected, albeit to varying degrees.

Google today revealed that Project Zero researcher Jann Horn mid-last year had uncovered “serious security flaws caused by ‘speculative execution’, a technique used by most modern processors to optimise performance".

Horn said Google built proof-of-concepts for problems that were exposed in earlier academic work by researchers affiliated with institutions in Austria, the US and Australia, and some private firms.

That earlier work uncovered two "critical vulnerabilities" in processors - codenamed Meltdown and Spectre. While Meltdown can be patched, no such fixes "currently exist for Spectre," the Australian-based, University of Adelaide and Data 61-affiliated researcher, Dr Yuval Yarom, said.

Google’s PoC discoveries take advantage of these vulnerabilities. They were disclosed to the three chipmakers by Google researchers in June last year.

Horn “demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible”, Google said.

“For example, an unauthorised party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications,” Google said.

“Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.”

The full Google report continues to be withheld - the company noted an “originally coordinated disclosure date of January 9, 2018” had been set for the release of details of the potential exploits of the vulnerability.

However, rising speculation about the severity of the issue - including potential performance impacts on servers and public cloud environments - forced it to go public sooner.

Those performance issues - currently benchmarked in the single and double-digits, depending on configuration and workload - are expected to particularly hit cloud and HPC users, however the full impact won't be known until further details are released.

“The full Project Zero report is forthcoming,” it said.

Public cloud providers AWS and Microsoft have scheduled reboots to address the problem over the course of the next few days.

"The majority of Azure infrastructure has already been updated to address this vulnerability, [but] some aspects of Azure are still being updated and require a reboot of customer VMs for the security update to take effect," Microsoft said, adding it would bring forward its plans now the vulnerability had been made public.

AWS similarly said that "all but a small single-digit percentage of instances across [its] Amazon EC2 fleet are already protected."

"The remaining ones will be completed in the next several hours, with associated instance maintenance notifications," it said today.

"While the updates AWS performs protect underlying infrastructure, in order to be fully protected against these issues, customers must also patch their instance operating systems."

Google said it had already put in place mitigations in its own systems, and was collaborating with hardware and software manufacturers across to "help protect their users and the broader web".

“These efforts have included collaborative analysis and the development of novel mitigations,” it said.

It was the inclusion of some of these mitigations in beta updates of major operating systems that brought the issue into the public domain ahead of the planned embargo.

Google’s statement came after chipmakers confirmed that their products were affected, to varying degrees.

Intel denied that “a ‘bug’ or a ‘flaw’” in its products was the root cause of the issue - as had been earlier suspected - arguing instead that its products, and the devices they were incorporated into, were simply “operating as designed".

It said it had begun providing software and firmware updates to mitigate the exploits, but played down their severity.

“Intel believes these exploits do not have the potential to corrupt, modify or delete data,” it said.

Both AMD and ARM are reported to have released statements advising of their level of exposure to the flaw. iTnews has contacted AMD for comment; ARM has published a list of affected cores here.

Horn said his team had exploits that worked against real software for a few Intel and AMD CPU models.

There are three known variants of the issue, known as CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754.

Horn said the chipmakers were best-placed to mitigate against the vulnerability, as they could do more than speculate on how the “hardware internals” of their products operated.

“We have some ideas on possible mitigations and provided some of those ideas to the processor vendors; however, we believe that the processor vendors are in a much better position than we are to design and evaluate mitigations, and we expect them to be the source of authoritative guidance,” Horn said.

US CERT said in an advisory that while operating system updates could "mitigate the underlying hardware vulnerability", there was only one way to make sure Spectre - in particular - caused no ongoing issue.

"The underlying vulnerability is primarily caused by CPU architecture design choices," it said.

"Fully removing the vulnerability requires replacing vulnerable CPU hardware."