The Reptar vulnerability can be used to escalate privileges, gain access to sensitive information, and cause denial of service. However, at least its fixing does not require intervention at the hardware level, as was in the case of an LVI attack.

Reptar Vulnerability in Intel CPUs Allow for Privileges Escalation

The vulnerability, discovered by Intel engineers themselves, has received the identifier CVE-2023-23583 and is described as an “REX prefix issue”.

Initially, it was believed that the error could be used only to provoke a denial of service. The vulnerability received only a CVSS score of 5.5. Intel initially planned to release a patch for it in March 2024.

However, deeper analysis showed that there was a way to exploit the bug to escalate privileges. And Intel moved the release date of the patch to November 2023. As a result, the vulnerability rating was changed to 8.8 points on the CVSS scale.

Intel does not expect any non-malware software to encounter this problem in the real world. It is expected that redundant REX prefixes will not be present in the code and will not be generated by compilers.

Malicious exploitation of the Reptar issue requires the execution of arbitrary code. Also, as a part of an internal review Intel identified the possibility of privilege escalation in certain scenarios.

Systems with affected processors, including Alder Lake, Raptor Lake and Sapphire Rapids, have already received updated firmware, and these patches do not impact performance.

Other Threats to Intel Processors

The history of Windows processor problems is quite rich. We also wrote about the Snoop attack, which can stop processors. And about the Platypus attack, which could be used by attackers to steal data. And also about problems with Active Management Technology (AMT) and Intel Standard Manageability (ISM).

However, earlier this year the media also wrote about one of the most serious errors in the history of Intel processors. It was CVE-2021-39296 issue (10 out of 10 on the CVSS scale). This vulnerability affected the integrated BMC (Baseboard Management Controller) and OpenBMC firmware on several of the company’s platforms. The issue CVE-2021-39296, as its ID shows, was discovered back in 2021, but was fixed only two years later.

Are processor vulnerabilities that dangerous?

Problems with processors are usually perceived as painful due to the fact that they are everywhere. They are the basis of almost any electronic device. And an exploitable vulnerability in Intel or AMD products can make millions of users around the world dependent on the actions of attackers.

A complete list of Intel processors affected by the CVE-2023-23583 vulnerability, as well as recommendations for resolving it, are available here.

The post Reptar Vulnerability Threatens Intel Processors appeared first on Gridinsoft Blog.

The name is an acronym derived from Power Leakage Attacks: Targeting Your Protected User Secrets.

The Platypus attack and related issues are tracked as CVE-2020-8694 (Linux + Intel), CVE-2020-8695 (Intel), and CVE-2020-12912 (Linux + AMD). It should also be noted that the study was conducted as part of a project that was partially funded by Intel.

The attack relies on the Running Average Power Limit (RAPL) interface of Intel processors, that is, it uses a component that allows firmware and applications to control CPU and DRAM power consumption.

Platypus enables discovering what data is being processed internally by the CPU by looking at RAPL values and at encryption keys, passwords, confidential documents, and other data. Typically, access to such information is protected by a variety of security systems, including KASLR (kernel address space randomization) and hardware-isolated environments such as Intel SGX. But Platypus allows bypassing the defense mechanisms, simply by observing the changes in energy consumption.

In the course of tests carried out by the researchers, it was found that in 20 seconds it was possible to bypass the KASLR by observing the power consumption in RAPL, and then get the data from the Linux kernel.

In another test, it was possible to obtain data that was processed in the protected enclaves of Intel SGX. The Platypus attack was extracting RSA private keys from the SGX enclave, which required tracking RAPL data for 100 minutes. In turn, it takes between 26 and 277 hours to extract AES-NI encryption keys from the SGX enclave and from the Linux kernel memory space.

While attacks are possible on Windows and macOS devices, in these cases, the Intel Power Gadget must be installed on the target machines in order for the attackers to interact with the RAPL interface.

However, Platypus attacks targeting Intel SGX enclaves work independently from the OS.

The worst news is that the Platypus attack can be carried out remotely. The attacker does not need physical access to the target machine; instead, the malicious code can be hidden inside the application, which will only have to be somehow installed on the victim’s machine.

Platypus works against Intel desktop and server processors, according to scientists. In addition, Intel engineers said the attack also affects some mobile and embedded processors.

A list of Intel processors that are vulnerable to the Platypus attack can be found here.

Intel has already prepared updated versions of the microcode that block Platypus attacks, and the company has already distributed them to manufacturers, who will soon include patches in updates for their products. The Linux kernel was also updated.

Moreover, most of the processors that Platypus endangers are the latest models supported by both Intel and device manufacturers. That is, updates will obviously arrive soon.

Of course, the Platypus authors did not have the opportunity to test all devices available on the market for vulnerabilities. However, other manufacturers use the RAPL interface in their products, so the researchers believe that they may be at risk too.

So, one of the specialists told ZDNet reporters that the research group had conducted a number of experiments on AMD processors, and also observed data leakage through power consumption. The same problem can affect ARM-based devices, and other manufacturers, including Nvidia, Marvell and Ampere, use solutions very similar to RAPL in their products.

Let me remind you that I also talked about the SGAxe attack that endangers Intel processors and the fact that Snoop attack steals data from Intel processors.

The post Platypus attack allows stealing data from Intel processors appeared first on Gridinsoft Blog.

Till Kottmann collects accidentally dumped data from large technological companies, information from which leaks through misconfigured repositories, cloud servers and online portals.

However, Kottman faced a different kind of leak this week.

An anonymous hacker, who claims to have hacked Intel earlier this year, uploaded Mega and sent Kottman a 20GB dump containing the company’s source code and internal documents (including those marked “confidential” or “secret, not for disclosure”). The attacker assured that this is only the first part of the stolen data. Currently, the dump can be easily found on torrent trackers, file sharing and so on.

“Interestingly, among the source codes, associated with Intel Purely Refresh for Xeon processors, were found comments, containing the word ‘backdoor’, and some encrypted archives from the dump were protected by simple passwords such as ‘Intel123’ and ‘Intel123′”, — says Till Kottmann.

Although I have talked about attacks on Intel processors before, but this is the first time I’ve heard about leaks in the company.

ZDNet journalists report that they showed the dump to experts, which specialize in Intel processors, and they considered the information reliable (although they wished to remain anonymous due to the ethical side of the issue).

According to the publication’s own analysis, the leak contains Intel’s intellectual property, including one that is related to the design and construction of various chipsets.

“The files contain technical specifications, product guides, and manuals for processors dated 2016”, – according ZDNet journalists.

Most of the documents and sources are related to the Kaby Lake platform and the upcoming Tiger Lake, although a small number of documents refer to other products, including those developed by Intel for SpaceX.

It seems that the dump does not contain confidential data about customers or Intel employees, but it is not known yet, to what other information the unknown hacker could have gained access.

Till Kottman writes that the dump includes:

• Intel ME Bringup guides + (flash) tools + samples for various platforms;
• Kabylake (Purley Platform) BIOS Reference Code and Sample Code + initialization code (some exported from git repos with full history);
• Intel CEFDK (Consumer Electronics Firmware Development Kit) sources
• Silicon / FSP source codes for various platforms;
• various tools for development and debugging;
• Simics Simulation for Rocket Lake S and possibly other platforms;
• various road maps and other documentation;
• Camera driver binaries developed by Intel for SpaceX;
• schematics, documents, tools + firmware for unreleased Tiger Lake platform;
• Kabylake FDK tutorial videos;
• Intel Trace Hub + decoder files for various Intel ME versions;
• Elkhart Lake Silicon Reference and Platform Code Samples
• Verilog related data for various Xeon platforms;
• debugging of BIOS / TXE builds for various platforms;
• Bootguard SDK (encrypted zip);
• Intel Snowridge / Snowfish Process Simulator ADK;
• various schemes;
• Intel Marketing Templates (InDesign).

Intel officials said they were already investigating the situation, but denied that the company was affected by the hack. Instead, they believe that the leak could have occurred because someone got access to the Intel Resource and Design Center, downloaded confidential data from there without permission, and then share it with a Swiss researcher.

Interestingly, the attacker himself claims that he gained access to the information through an unprotected server hosted in the Akamai CDN, and not using the Intel Resource and Design Center account.

The post Intel investigates data leak: 20 GB of source codes and documents appeared first on Gridinsoft Blog.

The manufacturer also released updated microcodes for processors vulnerable to the new CrossTalk MDS problem. But CrossTalk was not limited to this, and this week it became known about another problem that also threatens Intel processors. This no less serious vulnerability is called SGAxe, and it is a variation of the speculative attack CacheOut, discovered in early 2020.

Let me remind you that CacheOut belongs to the class of vulnerabilities of Microarchitectural Data Sampling (MDS), which includes RIDL, Fallout and ZombieLoad, and rna can lead to data leakage from Intel processors, virtual machines and SGX enclaves. It’s also worth noting that CacheOut is a kind of successor to another processor problem, Foreshadow, which first used the L1 cache to extract SGX keys.

“The measures Intel took to eliminate side-channel attacks on SGX (firmware updates and new architectures) were not enough”, – said representatives of the research team that discovered CacheOut and SGAxe problems.

Due to this, exploitation of the SGAxe problem allows an attack of the transient execution type, which leads to the restoration of trusted by the Intel certification center SGX cryptographic keys.

The certification mechanism is an important part of SGX. In fact, with its help, enclaves can prove to third parties that they are correctly initialized and work on a true Intel processor. In particular, this allows making sure that the software running inside the CPU has not been superseded. Thus, extracting SGX certification keys allows attackers to pretend to be a legitimate Intel SGX machine from a cryptographic point of view.

Researchers note that the attack will work even if the SGX enclave is in standby mode, therefore, it bypasses all hardware defenses.

“If the certification keys of a machine are compromised, any secrets provided by the server can be read right away by an untrusted client host application, while all output supposedly created by client-side enclaves cannot be considered reliable. In fact, it makes all SGX-based DRM applications useless, as any secret can be easily restored”, — experts explain.

A complete list of processors for which SGAxe is dangerous has been published by Intel Product Security Incident Response Team (PSIRT) and can be seen here.

Although Intel have already released fixes for the CacheOut problem in January, now it is planned that Intel will update the microcode again to protect against CacheOut and SGAxe and address the root cause of these vulnerabilities.

The company will also restore the Trusted Compute Base (TCB), which will invalidate all previously signed and compiled certification keys.

“This process ensures that your system is in a safe mode and can reuse remote certification”, — write the researchers.

Let me remind you that we talked about the attacks of Snoop and Load Value Injection, which also possess serious threats to Intel.

The post SGAxe attack endangers Intel processors appeared first on Gridinsoft Blog.

Last week, Intel and AMD equalized number of discovered vulnerabilities, but as we will see right now, Intel processors are breaking ahead.

“The Snoop attack uses processor mechanisms such as a multilevel cache, cache consistency (coherence), and bus tracking”, – says Pawel Wieczorkiewicz.

Currently, most processors have a multi level cache memory, where data is stored during processing by the processor. Depending on the characteristics of the CPU, the cache can be single-level (L1), two-level (L2), or even three-level (L3). The most commonly used level is L1, which is divided into two. One section (L1D) is used to process user data, and the second (L1I) is used to process the instruction code of the CPU itself.

Due to its multi-core architecture and multi-level cache, data is usually stored simultaneously in several processor caches and even in RAM. Cache consistency is the process of synchronizing all levels of the cache in such a way that the same data is stored in L1, L2 and RAM as in L1D – the place where they begin to change.

Bus tracking is an operation in which the CPU updates all cache levels when data begins to change in L1D.

“Under certain conditions, malicious code can interfere with the process of monitoring the bus and cause errors that could lead to data leakage from the cache consistency process, namely, data that has been currently changed in L1D “, — found out Pawel Wieczorkiewicz.

However, unlike Meltdown and Specter, Snoop does not allow stealing large amounts of data. In addition, according to Intel, it is difficult to provide necessary conditions for an attack.

The engineer notified Intel about the problem, however, after examining the vulnerability, the company’s specialists concluded that the patch for the Foreshadow vulnerability (L1TF), released in 2018, also fixes it. A list of vulnerable Intel processors can be found here.

The post Snoop attack steals data from Intel processors appeared first on Gridinsoft Blog.

A team of scientists from the Worcester Polytechnic Institute, Graz Technical University, the University of Michigan, the University of Adelaide, as well as Bitdefender experts, spoke about a new problem that threatens Intel processors (a list of affected processors can be seen here).

The new attacks are called Load Value Injection (LVI), and although Intel engineers have already released software patches, a complete fix to these problems is not possible – in the future, the company’s processors will require hardware changes.

LVI attacks are to the certain extend “heritage” of the sensational vulnerabilities Meltdown and Specter, emerged in 2018, starting from which experts have identified many other side-channel problems, including Spoiler, RIDL, Fallout and ZombieLoad, ZombieLoad 2, NetCAT, TPM -FAIL, Plundervolt.

As experts explain, LVI is a reversed Meltdown. Therefore, if the Meltdown problem allowed attackers to extract application data in the CPU memory, then LVI attacks allow injecting code into the CPU and execute it as a transient operation, which gives the attacker control over the situation.

Tests, successfully performed by two research groups that discovered the LVI problem independently of each other, prove the wide range of effects of the new threat. For example, scientists focused on issues of data leaks (encryption keys) from Intel SGX enclaves, while Bitdefender engineers focused on attacks on cloud environments.

“This type of attack is especially damaging in common environments, such as corporate workstations or servers in data centers, where one tenant with small privileges can merge sensitive information from a more privileged user or from another virtual environment on top of the hypervisor”, — Bitdefender writes.

Let me remind you that in January 2018, when the details of the Meltdown vulnerability were revealed, Intel announced that only a firmware update would be required to fix it, while hardware corrections were needed to eliminate the Specter threat. Now researchers write that everything has changed: from now on, the class of attacks Meltdown and LVI also require hardware patches and software patches are no longer enough.

The researchers explained that in order to implement their attacks, they relied on the same hardware operations as Meltdown, which means that while Meltdown is running, LVI attacks will work. Moreover, LVI attacks were successfully tested on systems that received all patches for protection against Meltdown, that is, existing patches do not always successfully block new versions of Meltdown attacks.

Current demonstrations of LVI attacks are based on running malicious code directly on the target computer, i.e. it is assumed that the attacker already has local access. Nevertheless, a remote attack using JavaScript is also possible, and for this, it is enough to trick the user into a malicious site (similar to the original Meltdown attack). In practice, researchers have not yet tested the vector of attacks using JavaScript, but they claim that theoretically this should work.

“However, LVI attacks would be difficult to implement in practice, especially if to compare them with other attacks on third-party channels (MDS, L1TF, SWAPGS). Currently, LVI attacks are seen as theoretical rather than direct threat to users right now”, – reassure IS experts.

However, in the future, as information security researchers discover more problems and learn more about how processors actually work, the current CPU design may be considered unsafe.

Currently, real tests have confirmed that LVI attacks pose a threat to Intel processors, but researchers do not exclude that AMD and ARM solutions, as well as any processors that are vulnerable to Meltdown data leaks, can also be prone to a new problem.

In addition, it is reported that according to preliminary tests, already released Intel software patches seriously affect performance. Therefore, installing patches can reduce performance from 2 to 19 times.

The post Intel processors need hardware fixes due to new LVI attack appeared first on Gridinsoft Blog.