Reports of a serious flaw affecting all computer CPUs containing Intel chipsets from the last 10 years have surfaced, driving Intel stock down and sending security researchers flying to test it for themselves. However, Intel calls the reports “wildly inaccurate.”
The Register first reported the alleged problem, saying that the bug gives bad actors access to the part of a computer’s memory that takes care of passwords. Max Goryachy, security researcher at Positive Technologies, said that his follow-up analysis shows the issue to exist in a special mechanism within Intel chips that allows the reordering of instruction sequences—a function that was built in to increase the performance of program execution and processing.
“It turns out that this mechanism does not verify access rights, resulting in the situation that any application becomes able to read data from the memory that should not be available to it,” he explained, via email. “This vulnerability is dangerous because of the bypass of a modern protection mechanism called kernel address space layout randomization (KASLR), which simplifies hacking of modern operation systems working on Intel chipsets. Another potential usage would be to gain access to critical data, such as encryption keys, user credentials, and a lot more.”
OS providers like Linux, Microsoft and Apple are issuing patches to prevent such attacks—but the pitfall, Goryachy said, is that fixing the problem comes with a tradeoff of serious performance degradation. In fact, security updates may slow down older machinery by as much as 30%.
Further, the researcher believes the issue could have far-flung ramifications for cloud servers.
“Positive Technologies believes that some chipset generations allow gaining access to a host's memory inside of the virtual machine,” he said. “It is highly likely that this was the case in the temporary unavailability of Amazon and Azure servers. This problem can be completely fixed only in new chip versions.”
Interestingly, Amazon has issued a notice about a major security update, with EC2 scheduled to reboot this Friday.
“If the Azure and Amazon reboots are related to the Intel flaw, it would demonstrate how far-reaching the impact is,” said Chris Morales, head of security analytics at Vectra. “A phrase like ‘the cloud is rebooting’ is not something that anyone has had to say before, and it reminds me of the kind of far-reaching impact that Y2K was feared to have had.”
He added, “This should be a wake-up call to enterprises that they need to think differently about cloud security. This flaw in the cloud could provide a side door for an attacker to enter from an adjacent cloud service, rather than launch a frontal assault on your enterprise applications running in the cloud.”
However, Intel has issued a statement playing down the media reports, and its general counsel took to Twitter to refute the claims. It has acknowledged the issue but said it doesn’t have to do specifically with its chipsets; it also denied the performance degradation worries and the assessments of potential damage.
“Intel believes these exploits do not have the potential to corrupt, modify or delete data,” it said. “Recent reports that these exploits are caused by a ‘bug’ or a ‘flaw’ and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices—with many different vendors’ processors and operating systems—are susceptible to these exploits.”
It said that it is working with AMD, ARM Holdings and “several OS vendors” to develop an industry-wide approach to addressing the problem; and it said it has begun providing software and firmware updates to mitigate these exploits.
“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time,” it said.
Jason Kent, CTO at AsTech Consulting, said to take the silicon giant’s assessment with a grain of salt.
“Folks in the Linux community need to be extra mindful on this and not just patch and hope for the best,” he said via email. “This one is going to need lots of monitoring to ensure the applications running on those devices are not suddenly unable to work with a standard workload. This could have wide implications of doubt being cast on vulnerability management programs in general, as well as how open-source might be viewed. ‘Those Linux servers are slow’ is a possible outcome.”