Intel finally issues Spoiler attack alert: Now non-Spectre exploit gets CVE but no patch

No patch for Spoiler attack affecting all Intel chips, but a security advisory gives it an official CVE identifier.

Meltdown and Spectre: Researchers find seven new variations Experiments showed that processors from AMD, ARM, and Intel are affected.

Intel has finally posted an official security advisory in response to the recently revealed Spoiler attack, which uses a weakness in Intel CPUs to enhance already known attacks that leak secrets from memory. 

Researchers from Worcester Polytechnic Institute, Massachusetts, and the University of Lübeck in north Germany in March drew attention to a weakness in Intel's proprietary memory subsystem that affects Intel CPUs all the way back to its 1st generation Intel Core processors, regardless of the operating system. 

An attacker with low privileges can use Spoiler to learn a system's virtual address mapping to physical memory addresses, Intel said in an assessment, which stressed that Spoiler itself doesn't reveal secret data.  

Spoiler is not a speculative execution side-channel attack like Spectre v2, which could leak secrets like passwords. However, Spoiler does lower the bar for other known memory-leaking attack techniques, such as Rowhammer bit-flipping in memory chips, and classic side-channel attacks.  

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Intel initially didn't say much about Spoiler's impact, except that it believed software can be shielded against Spoiler issues by employing "side-channel safe software development practices" and that DRAM modules with Rowhammer mitigations should remain protected. 

Rowhammer mitigations include ECC or Error-Correcting Code memory, used in RAM for mission-critical systems. Researchers recently showed that ECC in DDR3 and possibly DDR4 is fairly brittle in the face of a specific Rowhammer attack. If it triggered three simultaneous bit flips ECC could be completely bypassed.    

Intel has now assigned the vulnerability identifier CVE-2019-0162 to Spoiler and given it a CVSS severity score of 3.8 out of a possible 10. The 'low' severity rating is likely because an attacker would need to be authenticated and have local access to the hardware, while existing mitigations further reduce risks. 

"Memory access in virtual memory mapping for some microprocessors may allow an authenticated user to potentially enable information disclosure via local access," Intel notes in its advisory

The researchers who discovered Spoiler predicted the chip maker would be unable to patch its memory subsystem with microcode any time soon without "losing tremendous performance". 

Indeed, Intel doesn't have a patch but points to documents detailing 'Security Best Practices For Side Channel Resistance' and 'Guidelines for Mitigating Timing Side Channels Against Cryptographic Implementations'. 

"Intel recommends that users follow existing best practices to mitigate exploitation of this vulnerability," it notes.   

In a separate document, Intel says its kernel protections, such as the kernel page-table isolation (KPTI) mitigation against the Meltdown CPU attack, does "reduce the risk of leaking data across privilege levels".

"After careful assessment, Intel has determined that existing kernel protections, like KPTI, reduce the risk of leaking data across privilege levels," Intel notes. 

"Combined with side-channel safe software development practices, like ensuring execution time and control flows are identical regardless of secret data, these protections mitigate classic side-channel methods enabled by the Spoiler exploit. Additionally, DRAM modules that are mitigated against Rowhammer-style attacks remain protected regardless of the Spoiler exploit."

More on Intel, Spoiler and Spectre