Researchers have found that Intel processors are being impacted by a new vulnerability that can allow attackers to leak encrypted data from the CPU's internal processes.
The new side-channel vulnerability, called PortSmash, was discovered by researchers Billy Bob Brumley, Cesar Pereida García, Sohaib ul Hassan and Nicola Tuveri from the Tampere University of Technology in Finland and Alejandro Cabrera Aldaya from the Universidad Tecnológica de la Habana.
According to the proof of concept, the only prerequisite to exploit the vulnerability, identified as CVE-2018-5407, is a CPU featuring simultaneous multithreading (SMT), such as Intel’s hyper-threading. An attacker uses a timing attack to steal information from other processes running in the same CPU core with hyper-threading.
Because it is a local attack, in order to steal the private decryption keys, the attacker and victim must be running on the same physical core, such as an OpenSSL.
“News of a side-channel vulnerability should be very concerning for security and IT professionals alike,” said Justin Jett, director of audit and compliance for Plixer. “Malicious actors can take these newly generated keys and decrypt any conversation that would otherwise have been protected by the key.
“Additionally, because the malware writer is already on the machine, they have a better understanding of where these keys may be used (for example, were the keys then moved to a specific folder that is being used by an application installed on the machine).”
Similar to other processor vulnerabilities, like Meltdown and Spectre, PortSmash is a reminder that we have to rotate the keys and certificates that serve as machine identities, much more frequently than we do, according to Kevin Bocek, VP of security strategy and threat intelligence at Venafi.
“Our machine identities are kept around for years, and it’s crazy to think machine that they won’t be attacked. This is especially true a cloud and microservices environments, where these kinds of vulnerabilities are most dangerous.
“Security and IT teams know we have to change passwords regularly and why. But we haven’t applied the same logic to machine identities, even though they provide even higher levels of access than most passwords. The reality is that most keys and certificates aren’t changed often, and a surprising number are never changed. These are the machine identities that are most at risk from PortSmash.”