Intel warns for a new vulnerability in Intel Core processors that can provide attackers access to sensitive data like cryptographic keys. Just like with the Spectre and Meltdown attacks, the new attack is a so-called ‘speculative execution side channel attack’. Unlike the other two attacks, this attack has a less catch name, “Lazy FP”.
The vulnerability exists in the processor and therefore in all platforms that can run Intel Core CPUs and that make use of Lazy FPU switching, according to security researchers from Cyberus Technology and Amazon who discovered the vulnerability. Internal memory registers in processors store data about the state of each application. The state of the application has to be stored and recovered when there is a switch between the applications, which consumes resources. To enhance performance, Lazy FPU switching is used, which only stores data, or recovers the FPU state, when absolutely necessary.
A vulnerability in Intel processors makes it possible for a process to get access to the state of another process, which can result in the leakage of sensitive data. This way the register state of the Floating Point United (FPU) register sets called AVX, MMX and SSE can be obtained.
“This is very bad because AES encryption keys almost always end up in SSE registers,” according to computer scientist and FreeBSD Security Officer Emeritus, Colin Percival, on Twitter.
The information from the registers can leak across process- and virtual machine boundaries, according to the researchers. To abuse the vulnerability, an attacker needs to have access to the system, which is not an issue in e.g shared hosting environments.
Amazon, one of the world’s largest providers of cloud computing services reports in a security advisory that, “the issue does not impact AWS infrastructure. No customer’s instance can read the memory or state of another customer’s instance, nor can any instance read AWS hypervisor memory or state.”
Intel has told The Register that Lazy FP state restore is equal to the Spectre NG vulnerability that was recently disclosed and that was patched in operating systems and hypervisor software years ago. The chip giant also states it’s working with industry partners to solve the issue in other environments and the company plans to release a patch for the issue within the coming weeks.
Microsoft plans to release patches for the issues soon.
Update: An Intel spokesperson provided the following addition: “This issue, known as Lazy FP state restore, is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products. Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks. We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well.”