Intel Processors Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 16 Nov 2023 10:03:35 +0000 en-US hourly 1 https://wordpress.org/?v=72353 200474804 Reptar Vulnerability Threatens Intel Processors https://gridinsoft.com/blogs/reptar-vulnerability-intel-processors/ https://gridinsoft.com/blogs/reptar-vulnerability-intel-processors/#respond Thu, 16 Nov 2023 10:03:35 +0000 https://gridinsoft.com/blogs/?p=17711 Intel has fixed a serious Reptar vulnerability in various processors for desktops, servers, mobile devices and embedded systems. This has also proven to be a problem for the latest Alder Lake, Raptor Lake, and Sapphire Rapids microarchitectures. The Reptar vulnerability can be used to escalate privileges, gain access to sensitive information, and cause denial of… Continue reading Reptar Vulnerability Threatens Intel Processors

The post Reptar Vulnerability Threatens Intel Processors appeared first on Gridinsoft Blog.

]]>
Intel has fixed a serious Reptar vulnerability in various processors for desktops, servers, mobile devices and embedded systems. This has also proven to be a problem for the latest Alder Lake, Raptor Lake, and Sapphire Rapids microarchitectures.

The Reptar vulnerability can be used to escalate privileges, gain access to sensitive information, and cause denial of service. However, at least its fixing does not require intervention at the hardware level, as was in the case of an LVI attack.

Reptar Vulnerability in Intel CPUs Allow for Privileges Escalation

The vulnerability, discovered by Intel engineers themselves, has received the identifier CVE-2023-23583 and is described as an “REX prefix issue”.

Reptar vulnerability in Intel: REX prefix

Initially, it was believed that the error could be used only to provoke a denial of service. The vulnerability received only a CVSS score of 5.5. Intel initially planned to release a patch for it in March 2024.

However, deeper analysis showed that there was a way to exploit the bug to escalate privileges. And Intel moved the release date of the patch to November 2023. As a result, the vulnerability rating was changed to 8.8 points on the CVSS scale.

Under certain circumstances, unusual cases have been identified on Intel microarchitectures. Executing an instruction (REP MOVSB) encoded with a redundant REX prefix may result in unpredictable system behavior. And also cause a critical crash or freeze. And in some scenarios – to increase privileges from CPL3 to CPL0.Intel engineers report.

Intel does not expect any non-malware software to encounter this problem in the real world. It is expected that redundant REX prefixes will not be present in the code and will not be generated by compilers.

Malicious exploitation of the Reptar issue requires the execution of arbitrary code. Also, as a part of an internal review Intel identified the possibility of privilege escalation in certain scenarios.

Systems with affected processors, including Alder Lake, Raptor Lake and Sapphire Rapids, have already received updated firmware, and these patches do not impact performance.

Other Threats to Intel Processors

The history of Windows processor problems is quite rich. We also wrote about the Snoop attack, which can stop processors. And about the Platypus attack, which could be used by attackers to steal data. And also about problems with Active Management Technology (AMT) and Intel Standard Manageability (ISM).

However, earlier this year the media also wrote about one of the most serious errors in the history of Intel processors. It was CVE-2021-39296 issue (10 out of 10 on the CVSS scale). This vulnerability affected the integrated BMC (Baseboard Management Controller) and OpenBMC firmware on several of the company’s platforms. The issue CVE-2021-39296, as its ID shows, was discovered back in 2021, but was fixed only two years later.

Are processor vulnerabilities that dangerous?

Problems with processors are usually perceived as painful due to the fact that they are everywhere. They are the basis of almost any electronic device. And an exploitable vulnerability in Intel or AMD products can make millions of users around the world dependent on the actions of attackers.

A complete list of Intel processors affected by the CVE-2023-23583 vulnerability, as well as recommendations for resolving it, are available here.

The post Reptar Vulnerability Threatens Intel Processors appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/reptar-vulnerability-intel-processors/feed/ 0 17711
Platypus attack allows stealing data from Intel processors https://gridinsoft.com/blogs/platypus-attack-allows-stealing-data-from-intel-processors/ https://gridinsoft.com/blogs/platypus-attack-allows-stealing-data-from-intel-processors/#respond Thu, 12 Nov 2020 00:01:51 +0000 https://blog.gridinsoft.com/?p=4688 A group of scientists from the Technical University of Graz (Austria), the University of Birmingham, and the Helmholtz Center for Information Security in Germany (CISPA) have revealed details of a new Platypus attack that allows stealing data from Intel processors. The name is an acronym derived from Power Leakage Attacks: Targeting Your Protected User Secrets.… Continue reading Platypus attack allows stealing data from Intel processors

The post Platypus attack allows stealing data from Intel processors appeared first on Gridinsoft Blog.

]]>
A group of scientists from the Technical University of Graz (Austria), the University of Birmingham, and the Helmholtz Center for Information Security in Germany (CISPA) have revealed details of a new Platypus attack that allows stealing data from Intel processors.

The name is an acronym derived from Power Leakage Attacks: Targeting Your Protected User Secrets.

The Platypus attack and related issues are tracked as CVE-2020-8694 (Linux + Intel), CVE-2020-8695 (Intel), and CVE-2020-12912 (Linux + AMD). It should also be noted that the study was conducted as part of a project that was partially funded by Intel.

The attack relies on the Running Average Power Limit (RAPL) interface of Intel processors, that is, it uses a component that allows firmware and applications to control CPU and DRAM power consumption.

Basically, RAPL provides insight into how much power a processor uses to accomplish specific tasks, and this system has been used for years to track and optimize application and hardware performance.say the researchers.

Platypus enables discovering what data is being processed internally by the CPU by looking at RAPL values and at encryption keys, passwords, confidential documents, and other data. Typically, access to such information is protected by a variety of security systems, including KASLR (kernel address space randomization) and hardware-isolated environments such as Intel SGX. But Platypus allows bypassing the defense mechanisms, simply by observing the changes in energy consumption.

In the course of tests carried out by the researchers, it was found that in 20 seconds it was possible to bypass the KASLR by observing the power consumption in RAPL, and then get the data from the Linux kernel.

In another test, it was possible to obtain data that was processed in the protected enclaves of Intel SGX. The Platypus attack was extracting RSA private keys from the SGX enclave, which required tracking RAPL data for 100 minutes. In turn, it takes between 26 and 277 hours to extract AES-NI encryption keys from the SGX enclave and from the Linux kernel memory space.

Platypus works best against Linux systems. This is because the Linux kernel comes with the powercap framework, a generic driver for interacting with RAPL and other APIs to track power consumption changes.say the researchers.

While attacks are possible on Windows and macOS devices, in these cases, the Intel Power Gadget must be installed on the target machines in order for the attackers to interact with the RAPL interface.

However, Platypus attacks targeting Intel SGX enclaves work independently from the OS.

The worst news is that the Platypus attack can be carried out remotely. The attacker does not need physical access to the target machine; instead, the malicious code can be hidden inside the application, which will only have to be somehow installed on the victim’s machine.

Platypus works against Intel desktop and server processors, according to scientists. In addition, Intel engineers said the attack also affects some mobile and embedded processors.

A list of Intel processors that are vulnerable to the Platypus attack can be found here.

Intel has already prepared updated versions of the microcode that block Platypus attacks, and the company has already distributed them to manufacturers, who will soon include patches in updates for their products. The Linux kernel was also updated.

Our team is unaware of actual attacks using Platypus.emphasize Intel representatives.

Moreover, most of the processors that Platypus endangers are the latest models supported by both Intel and device manufacturers. That is, updates will obviously arrive soon.

Of course, the Platypus authors did not have the opportunity to test all devices available on the market for vulnerabilities. However, other manufacturers use the RAPL interface in their products, so the researchers believe that they may be at risk too.

So, one of the specialists told ZDNet reporters that the research group had conducted a number of experiments on AMD processors, and also observed data leakage through power consumption. The same problem can affect ARM-based devices, and other manufacturers, including Nvidia, Marvell and Ampere, use solutions very similar to RAPL in their products.

Let me remind you that I also talked about the SGAxe attack that endangers Intel processors and the fact that Snoop attack steals data from Intel processors.

The post Platypus attack allows stealing data from Intel processors appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/platypus-attack-allows-stealing-data-from-intel-processors/feed/ 0 4688
Intel investigates data leak: 20 GB of source codes and documents https://gridinsoft.com/blogs/intel-investigates-data-leak-20-gb-of-source-codes-and-documents/ https://gridinsoft.com/blogs/intel-investigates-data-leak-20-gb-of-source-codes-and-documents/#respond Fri, 07 Aug 2020 16:21:50 +0000 https://blog.gridinsoft.com/?p=4164 Swiss programmer Till Kottmann has been studying various dumps in the public domain for a long time and it looks like he found something interesting, so now the IT giant Intel is investigating the data leak. Till Kottmann collects accidentally dumped data from large technological companies, information from which leaks through misconfigured repositories, cloud servers… Continue reading Intel investigates data leak: 20 GB of source codes and documents

The post Intel investigates data leak: 20 GB of source codes and documents appeared first on Gridinsoft Blog.

]]>
Swiss programmer Till Kottmann has been studying various dumps in the public domain for a long time and it looks like he found something interesting, so now the IT giant Intel is investigating the data leak.

Till Kottmann collects accidentally dumped data from large technological companies, information from which leaks through misconfigured repositories, cloud servers and online portals.

However, Kottman faced a different kind of leak this week.

An anonymous hacker, who claims to have hacked Intel earlier this year, uploaded Mega and sent Kottman a 20GB dump containing the company’s source code and internal documents (including those marked “confidential” or “secret, not for disclosure”). The attacker assured that this is only the first part of the stolen data. Currently, the dump can be easily found on torrent trackers, file sharing and so on.

“Interestingly, among the source codes, associated with Intel Purely Refresh for Xeon processors, were found comments, containing the word ‘backdoor’, and some encrypted archives from the dump were protected by simple passwords such as ‘Intel123’ and ‘Intel123′”, — says Till Kottmann.

Although I have talked about attacks on Intel processors before, but this is the first time I’ve heard about leaks in the company.

ZDNet journalists report that they showed the dump to experts, which specialize in Intel processors, and they considered the information reliable (although they wished to remain anonymous due to the ethical side of the issue).

According to the publication’s own analysis, the leak contains Intel’s intellectual property, including one that is related to the design and construction of various chipsets.

“The files contain technical specifications, product guides, and manuals for processors dated 2016”, – according ZDNet journalists.

Most of the documents and sources are related to the Kaby Lake platform and the upcoming Tiger Lake, although a small number of documents refer to other products, including those developed by Intel for SpaceX.

Intel investigates data leak

It seems that the dump does not contain confidential data about customers or Intel employees, but it is not known yet, to what other information the unknown hacker could have gained access.

Till Kottman writes that the dump includes:

  • Intel ME Bringup guides + (flash) tools + samples for various platforms;
  • Kabylake (Purley Platform) BIOS Reference Code and Sample Code + initialization code (some exported from git repos with full history);
  • Intel CEFDK (Consumer Electronics Firmware Development Kit) sources
  • Silicon / FSP source codes for various platforms;
  • various tools for development and debugging;
  • Simics Simulation for Rocket Lake S and possibly other platforms;
  • various road maps and other documentation;
  • Camera driver binaries developed by Intel for SpaceX;
  • schematics, documents, tools + firmware for unreleased Tiger Lake platform;
  • Kabylake FDK tutorial videos;
  • Intel Trace Hub + decoder files for various Intel ME versions;
  • Elkhart Lake Silicon Reference and Platform Code Samples
  • Verilog related data for various Xeon platforms;
  • debugging of BIOS / TXE builds for various platforms;
  • Bootguard SDK (encrypted zip);
  • Intel Snowridge / Snowfish Process Simulator ADK;
  • various schemes;
  • Intel Marketing Templates (InDesign).

Intel officials said they were already investigating the situation, but denied that the company was affected by the hack. Instead, they believe that the leak could have occurred because someone got access to the Intel Resource and Design Center, downloaded confidential data from there without permission, and then share it with a Swiss researcher.

Interestingly, the attacker himself claims that he gained access to the information through an unprotected server hosted in the Akamai CDN, and not using the Intel Resource and Design Center account.

Intel investigates data leak
Kottman’s correspondence with the hacker

The post Intel investigates data leak: 20 GB of source codes and documents appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/intel-investigates-data-leak-20-gb-of-source-codes-and-documents/feed/ 0 4164
SGAxe attack endangers Intel processors https://gridinsoft.com/blogs/sgaxe-attack-endangers-intel-processors/ https://gridinsoft.com/blogs/sgaxe-attack-endangers-intel-processors/#respond Thu, 11 Jun 2020 16:06:23 +0000 https://blog.gridinsoft.com/?p=3916 As part of the June “Update Tuesday,” Intel fixed more than 20 different vulnerabilities in its products, including the SGAxe bug, which endangers several Intel processors. The manufacturer also released updated microcodes for processors vulnerable to the new CrossTalk MDS problem. But CrossTalk was not limited to this, and this week it became known about… Continue reading SGAxe attack endangers Intel processors

The post SGAxe attack endangers Intel processors appeared first on Gridinsoft Blog.

]]>
As part of the June “Update Tuesday,” Intel fixed more than 20 different vulnerabilities in its products, including the SGAxe bug, which endangers several Intel processors.

The manufacturer also released updated microcodes for processors vulnerable to the new CrossTalk MDS problem. But CrossTalk was not limited to this, and this week it became known about another problem that also threatens Intel processors. This no less serious vulnerability is called SGAxe, and it is a variation of the speculative attack CacheOut, discovered in early 2020.

Let me remind you that CacheOut belongs to the class of vulnerabilities of Microarchitectural Data Sampling (MDS), which includes RIDL, Fallout and ZombieLoad, and rna can lead to data leakage from Intel processors, virtual machines and SGX enclaves. It’s also worth noting that CacheOut is a kind of successor to another processor problem, Foreshadow, which first used the L1 cache to extract SGX keys.

“The measures Intel took to eliminate side-channel attacks on SGX (firmware updates and new architectures) were not enough”, – said representatives of the research team that discovered CacheOut and SGAxe problems.

Due to this, exploitation of the SGAxe problem allows an attack of the transient execution type, which leads to the restoration of trusted by the Intel certification center SGX cryptographic keys.

SGAxe endangers Intel processors

The certification mechanism is an important part of SGX. In fact, with its help, enclaves can prove to third parties that they are correctly initialized and work on a true Intel processor. In particular, this allows making sure that the software running inside the CPU has not been superseded. Thus, extracting SGX certification keys allows attackers to pretend to be a legitimate Intel SGX machine from a cryptographic point of view.

Researchers note that the attack will work even if the SGX enclave is in standby mode, therefore, it bypasses all hardware defenses.

“If the certification keys of a machine are compromised, any secrets provided by the server can be read right away by an untrusted client host application, while all output supposedly created by client-side enclaves cannot be considered reliable. In fact, it makes all SGX-based DRM applications useless, as any secret can be easily restored”, — experts explain.

A complete list of processors for which SGAxe is dangerous has been published by Intel Product Security Incident Response Team (PSIRT) and can be seen here.

Although Intel have already released fixes for the CacheOut problem in January, now it is planned that Intel will update the microcode again to protect against CacheOut and SGAxe and address the root cause of these vulnerabilities.

The company will also restore the Trusted Compute Base (TCB), which will invalidate all previously signed and compiled certification keys.

“This process ensures that your system is in a safe mode and can reuse remote certification”, — write the researchers.

Let me remind you that we talked about the attacks of Snoop and Load Value Injection, which also possess serious threats to Intel.

The post SGAxe attack endangers Intel processors appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/sgaxe-attack-endangers-intel-processors/feed/ 0 3916
Snoop attack steals data from Intel processors https://gridinsoft.com/blogs/snoop-attack-steals-data-from-intel-processors/ https://gridinsoft.com/blogs/snoop-attack-steals-data-from-intel-processors/#respond Tue, 17 Mar 2020 16:38:14 +0000 https://blog.gridinsoft.com/?p=3572 Amazon Web Services (AWS) software engineer Pawel Wieczorkiewicz discovered another vulnerability in Intel processors that allows stealing data from the internal memory of the CPU. Discovered by Wieczorkiewicz attack was called Snoop-assisted L1 Data Sampling or simply Snoop. Last week, Intel and AMD equalized number of discovered vulnerabilities, but as we will see right now,… Continue reading Snoop attack steals data from Intel processors

The post Snoop attack steals data from Intel processors appeared first on Gridinsoft Blog.

]]>
Amazon Web Services (AWS) software engineer Pawel Wieczorkiewicz discovered another vulnerability in Intel processors that allows stealing data from the internal memory of the CPU. Discovered by Wieczorkiewicz attack was called Snoop-assisted L1 Data Sampling or simply Snoop.

Last week, Intel and AMD equalized number of discovered vulnerabilities, but as we will see right now, Intel processors are breaking ahead.

“The Snoop attack uses processor mechanisms such as a multilevel cache, cache consistency (coherence), and bus tracking”, – says Pawel Wieczorkiewicz.

Currently, most processors have a multi level cache memory, where data is stored during processing by the processor. Depending on the characteristics of the CPU, the cache can be single-level (L1), two-level (L2), or even three-level (L3). The most commonly used level is L1, which is divided into two. One section (L1D) is used to process user data, and the second (L1I) is used to process the instruction code of the CPU itself.

Due to its multi-core architecture and multi-level cache, data is usually stored simultaneously in several processor caches and even in RAM. Cache consistency is the process of synchronizing all levels of the cache in such a way that the same data is stored in L1, L2 and RAM as in L1D – the place where they begin to change.

Bus tracking is an operation in which the CPU updates all cache levels when data begins to change in L1D.

“Under certain conditions, malicious code can interfere with the process of monitoring the bus and cause errors that could lead to data leakage from the cache consistency process, namely, data that has been currently changed in L1D “, — found out Pawel Wieczorkiewicz.

However, unlike Meltdown and Specter, Snoop does not allow stealing large amounts of data. In addition, according to Intel, it is difficult to provide necessary conditions for an attack.

The engineer notified Intel about the problem, however, after examining the vulnerability, the company’s specialists concluded that the patch for the Foreshadow vulnerability (L1TF), released in 2018, also fixes it. A list of vulnerable Intel processors can be found here.

The post Snoop attack steals data from Intel processors appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/snoop-attack-steals-data-from-intel-processors/feed/ 0 3572
Intel processors need hardware fixes due to new LVI attack https://gridinsoft.com/blogs/intel-processors-need-hardware-fixes-due-to-new-lvi-attack/ https://gridinsoft.com/blogs/intel-processors-need-hardware-fixes-due-to-new-lvi-attack/#respond Wed, 11 Mar 2020 16:52:58 +0000 https://blog.gridinsoft.com/?p=3550 Security experts discovered a new attack on Intel processors called Load Value Injection (LVI). This claim is not an attempt to to balance yesterday’s news about vulnerabilities in the processors of Intel’s rival AMD. Indeed, the news came one after another. A team of scientists from the Worcester Polytechnic Institute, Graz Technical University, the University… Continue reading Intel processors need hardware fixes due to new LVI attack

The post Intel processors need hardware fixes due to new LVI attack appeared first on Gridinsoft Blog.

]]>
Security experts discovered a new attack on Intel processors called Load Value Injection (LVI). This claim is not an attempt to to balance yesterday’s news about vulnerabilities in the processors of Intel’s rival AMD. Indeed, the news came one after another.

A team of scientists from the Worcester Polytechnic Institute, Graz Technical University, the University of Michigan, the University of Adelaide, as well as Bitdefender experts, spoke about a new problem that threatens Intel processors (a list of affected processors can be seen here).

The new attacks are called Load Value Injection (LVI), and although Intel engineers have already released software patches, a complete fix to these problems is not possible – in the future, the company’s processors will require hardware changes.

LVI attacks are to the certain extend “heritage” of the sensational vulnerabilities Meltdown and Specter, emerged in 2018, starting from which experts have identified many other side-channel problems, including Spoiler, RIDL, Fallout and ZombieLoad, ZombieLoad 2, NetCAT, TPM -FAIL, Plundervolt.

As experts explain, LVI is a reversed Meltdown. Therefore, if the Meltdown problem allowed attackers to extract application data in the CPU memory, then LVI attacks allow injecting code into the CPU and execute it as a transient operation, which gives the attacker control over the situation.

Tests, successfully performed by two research groups that discovered the LVI problem independently of each other, prove the wide range of effects of the new threat. For example, scientists focused on issues of data leaks (encryption keys) from Intel SGX enclaves, while Bitdefender engineers focused on attacks on cloud environments.

“This type of attack is especially damaging in common environments, such as corporate workstations or servers in data centers, where one tenant with small privileges can merge sensitive information from a more privileged user or from another virtual environment on top of the hypervisor”, — Bitdefender writes.

Let me remind you that in January 2018, when the details of the Meltdown vulnerability were revealed, Intel announced that only a firmware update would be required to fix it, while hardware corrections were needed to eliminate the Specter threat. Now researchers write that everything has changed: from now on, the class of attacks Meltdown and LVI also require hardware patches and software patches are no longer enough.

The researchers explained that in order to implement their attacks, they relied on the same hardware operations as Meltdown, which means that while Meltdown is running, LVI attacks will work. Moreover, LVI attacks were successfully tested on systems that received all patches for protection against Meltdown, that is, existing patches do not always successfully block new versions of Meltdown attacks.

Current demonstrations of LVI attacks are based on running malicious code directly on the target computer, i.e. it is assumed that the attacker already has local access. Nevertheless, a remote attack using JavaScript is also possible, and for this, it is enough to trick the user into a malicious site (similar to the original Meltdown attack). In practice, researchers have not yet tested the vector of attacks using JavaScript, but they claim that theoretically this should work.

“However, LVI attacks would be difficult to implement in practice, especially if to compare them with other attacks on third-party channels (MDS, L1TF, SWAPGS). Currently, LVI attacks are seen as theoretical rather than direct threat to users right now”, – reassure IS experts.

However, in the future, as information security researchers discover more problems and learn more about how processors actually work, the current CPU design may be considered unsafe.

Currently, real tests have confirmed that LVI attacks pose a threat to Intel processors, but researchers do not exclude that AMD and ARM solutions, as well as any processors that are vulnerable to Meltdown data leaks, can also be prone to a new problem.

In addition, it is reported that according to preliminary tests, already released Intel software patches seriously affect performance. Therefore, installing patches can reduce performance from 2 to 19 times.

The post Intel processors need hardware fixes due to new LVI attack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/intel-processors-need-hardware-fixes-due-to-new-lvi-attack/feed/ 0 3550