A team of security researchers has discovered a new Spectre attack that can be launched over the network, unlike all other Spectre variants that require some form of local code execution on the target system.
Dubbed “NetSpectre,” the new remote side-channel attack, which is related to Spectre variant 1, abuses speculative execution to perform bounds-check bypass and can be used to defeat address-space layout randomization on the remote system.
If you’re unaware, the original Spectre Variant 1 flaw (CVE-2017-5753), which was reported earlier this year along with another Spectre and Meltdown flaws, leverages speculative stores to create speculative buffer overflows in the CPU store cache.
Speculative execution is a core component of modern processors design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues and is discarded if not.
This issue could allow an attacker to write and execute malicious code that could potentially be exploited to extract data from previously-secured CPU memory, including passwords, cryptographic keys, and other sensitive information.
Instead of relying on covert cache channel, researchers demonstrated NetSpectre attack using the AVX-based covert channel that allowed them to capture data at a deficient speed of 60 bits per hour from the target system.
“As our NetSpectre attack is mounted over the network, the victim device requires a network interface an attacker can reach. The attacker must be able to send a large number of network packets to the victim,” the team said in its paper.
The netspectre attack could allow attackers to read arbitrary memory from the systems available on the network containing the required Spectre gadgets—a code that performs operations like reading through an array in a loop with bounds check on each iteration.
“Depending on the gadget location, the attacker has access to either the memory of the entire corresponding application or the entire kernel memory, typically including the entire system memory.” the researchers said.
To do so, all a remote attacker needs to do is sending a series of crafted requests to the target machine and measures the response time to leak a secret value from the machine’s memory.
“NetSpectre attacks require a large number of measurements to distinguish bits with a certain confidence,” the researchers said. “We verified that our NetSpectre attacks work in local-area networks as well as between virtual machines in the Google cloud.”
The team reported this vulnerability to Intel in March this year, and the NewSpectre attack was fixed by Intel during the initial set of patches for the speculative-execution design blunders.
So, if you have already updated your code and applications to mitigate previous Spectre exploits, you should not worry about the NetSpectre attack.
The details of the NewSpectre attack comes almost two weeks after Intel paid out a $100,000 bug bounty to a team of researchers for finding and reporting new processor vulnerabilities that were also related to Spectre variant one.
In May this year, security researchers from Microsoft and Google also reported a Spectre Variant 4 impacting modern CPUs in millions of computers, including those marketed by Apple.
No malware has so far been found exploiting any of the Spectre or Meltdown variants, or their sub-variants, in the wild.
Intel said it has updated its white paper [PDF] titled “Analyzing potential bounds check bypass vulnerabilities” to include information related the NetSpectre attack.