Intel processors are impacted by a new vulnerability that can allow attackers to leak encrypted data from the CPU's internal processes.
The new vulnerability, which has received the codename of PortSmash, has been discovered by a team of five academics from the Tampere University of Technology in Finland and Technical University of Havana, Cuba.
Researchers have classified PortSmash as a side-channel attack. In computer security terms, a side-channel attack describes a technique used for leaking encrypted data from a computer's memory or CPU, which works by recording and analyzing discrepancies in operation times, power consumption, electromagnetic leaks, or even sound to gain additional info that may help break encryption algorithms and recovering the CPU's processed data.
Researchers say PortSmash impacts all CPUs that use a Simultaneous Multithreading (SMT) architecture, a technology that allows multiple computing threads to be executed simultaneously on a CPU core.
In lay terms, the attack works by running a malicious process next to legitimate ones using SMT's parallel thread running capabilities. The malicious PortSmash process than leaks small amounts of data from the legitimate process, helping an attacker reconstruct the encrypted data processed inside the legitimate process.
Researchers say they've already confirmed that PortSmash impacts Intel CPUs which support the company's Hyper-Threading (HT) technology, Intel's proprietary implementation of SMT.
"Our attack has nothing to do with the memory subsystem or caching," said Billy Brumley, one of the five researchers, referring to previous side-channel attacks that have impacted SMT architectures and Intel's HT implementation.
"The nature of the leakage is due to execution engine sharing on SMT (e.g. Hyper-Threading) architectures. More specifically, we detect port contention to construct a timing side-channel to exfiltrate information from processes running in parallel on the same physical core," Brumley added.
A research paper detailing the PortSmash vulnerability in more depth for astute technical readers will be published on the Cryptology ePrint Archive portal in the coming days, Brumley told ZDNet earlier today via email when we reached out for more details.
His team also published proof-of-concept (PoC) code on GitHub that demonstrates a PortSmash attack on Intel Skylake and Kaby Lake CPUs.
The PoC steals an OpenSSL (<= 1.1.0h) P-384 private key from a TLS server by successfully exploiting PortSmash, but the attack can be modified to target any type of data.
The PortSmash PoC also requires malicious code to be running on the same physical core as the victim, but this isn't such a big hurdle for attackers.
"IaaS [Infrastructure-as-a-Service] is one scenario to make it more 'remote'," Brumley told ZDNet. "There, attackers would try to co-locate VMs with victims to end up running the exploit on the same physical core as the victim, but different logical core."
"[PortSmash] definitely does not need root privileges," he said "Just user space."
Researchers say they notified Intel's security team last month, on October 1, but the company has not provided a patch until yesterday, the date on which researchers went public with their findings. An Intel spokesperson was not available for comment regarding the state of the PortSmash patching process before this article's publication.
AMD CPUs likely impacted
"We leave as future work exploring the capabilities of PortSmash on other architectures featuring SMT, especially on AMD Ryzen systems," the research team said in a version of their paper shared with ZDNet, but Brumley told us via email that he strongly suspects that AMD CPUs are also impacted.
The work behind discovering PortSmash is also the first result of "SCARE: Side-Channel Aware Engineering," a five-year security research project funded by the European Research Council.
"The goal of the project is to find new side-channel vectors and mitigate them," Brumley told us.
Time to end SMT/HT support
Last year, another team of researchers found a similar side-channel vulnerability named TLBleed impacting Intel's Hyper-Threading (SMT) technology. Following the discovery of TLBleed, the OpenBSD project decided to disable support for Intel's HT technology in upcoming versions of the OpenBSD operating system, on the grounds of security.
"This is the main reason we released the exploit -- to show how reproducible it is," Brumley told us, "and help to kill off the SMT trend in chips."
"Security and SMT are mutually exclusive concepts," he added. "I hope our work encourages users to disable SMT in the BIOS or choose to spend their money on architectures not featuring SMT."
PortSmash is tracked in the CVE vulnerability tracking system with the CVE-2018-5407 identifier. The OpenSSL project also released version 1.1.1 that prevents a PortSmash attack from recovering OpenSSL data.
Update on November 2, 15:20 ET: An Intel spokesperson has provided the following statement in regards to the research team going public with details about the PortSmash flaw:
Intel received notice of the research. This issue is not reliant on speculative execution, and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side channel safe development practices. Protecting our customers' data and ensuring the security of our products is a top priority for Intel and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified.
- Cisco zero-day exploited in the wild to crash and reload devices
- Twelve malicious Python libraries found and removed from PyPI
- Windows Defender becomes first antivirus to run inside a sandbox
- New security flaw impacts most Linux and BSD distros
- Intel hits representation goal in its US workforce CNET
- Microsoft Windows zero-day disclosed on Twitter, again
- Zero-day in popular jQuery plugin actively exploited for at least three years
- Intel Foreshadow exploits: How to protect yourself TechRepublic