Experts discovered a new
The flaw could be exploited by
Speculative execution is a core component of modern microprocessor designed to improve performance, unfortunately, they could lead to information disclosure.
“An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries.” reads the advisory published by Microsoft.
“To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to elevate user rights directly, but it could be used to obtain information that could be used to try to compromise the affected system further.”
“This vulnerability, released on August 6, 2019, is a variant of the Variant 1 speculative execution side channel vulnerability and has been assigned CVE-2019-1125.”
Red Hat also published a security update related to the additional Spectre-V1 like
The flaw could allow an unprivileged local attacker to exploit these flaws to bypass conventional memory security restrictions to gain read access to privileged memory.
The attack relies on speculatively executing unexpected SWAPGS instructions after a branch gets
The “SWAPGS” instruction allows to implement the mechanism to transition from userspace to kernel space, it determines a convention to find kernel data such as kernel stack data.
“The SWAPGS instruction is a primitive instruction and does not validate the correctness of the values it uses. There are cases where the system may enter kernel code but may not require the swap or may re-enter kernel mode when already running in kernel mode.”
“Due to these cases, there are checks within the kernel entry code where conditional branches test to determine if the swap is necessary. As a result, it is possible that these conditional branches in the Linux kernel entry code may mis-speculate into code that will not perform the SWAPGS, resulting in a window of speculative execution during which the wrong GS is used for dependent memory operations. A typical
The SWAPGS Attack allows bypassing all known
(SecurityAffairs – SWAPGS attack, hacking)