New Windows hack warning: Patch Intel systems now to block SWAPGSAttack exploits

Researchers detail hardware vulnerability that bypasses mitigations against Spectre and Meltdown CPU vulnerabilities on Windows systems - and impacts all systems using Intel processors manufactured since 2012.
Written by Danny Palmer, Senior Writer

A newly uncovered vulnerability affecting every Windows computer using an Intel processor built since 2012 could allow attackers to bypass safeguards and access information held in a system's protected kernel memory.

This new side-channel attack is built on previous research into other CPU vulnerabilities – such as Spectre and Meltdown – but this new vulnerability can bypass the protections that were implemented to protect users from attacks exploiting those flaws.

The bug has been called SWAPGSAttack because it exploits SWAPGS, an instruction for x86/x64 CPUs that switches the system to start addressing the protected memory set aside for operating system kernels.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Attackers taking advantage of SWAPGSAttack [CVE-2019-1125] could use it to secretly monitor and steal sensitive information from a targeted machine – all without leaving a trace of an attack against the hardware.

The vulnerability was discovered by researchers at Bitdefender as they researched CPU architectures. They've chosen to reveal what they found in a session at Black Hat USA after working with Intel, Microsoft and others to ensure an update was released to fix the bug as part of Patch Tuesday. 

BitDefender said only Intel chips are affected, while Red Hat and Microsoft say other makes of chips are vulnerable. Microsoft says the new vulnerability is a variant of the earlier Spectre flaw, which affected Arm, AMD and Intel chips, while Red Hat says the SWAPGSAttack affects Intel and AMD chips. SWAPGSAttack also doesn't affect systems running Linux-based operating systems. 

It's not known if the vulnerability has been exploited in the wild, but Windows computers and servers that have delayed the patch could be vulnerable to potential attacks exploiting SWAPGSAttack going forward, as could unsupported operating systems like Windows XP.

The attack mechanism also leverages speculative-execution, an optimisation task where processors try to second-guess which operations might be carried out next and load those instructions into fast on-chip cache memory ahead of time. Every Windows machine using Intel processors since 2012 uses this technique to speed up the system.

However, speculative-execution can leave traces in-cache, potentially allowing hackers to perform a side-channel attack targeting weaknesses in the hardware as a means of gathering information about data held in the protected kernel memory.

The attacker can then infer and piece together information about the data held in the CPU cache, and therefore in system memory, by analysing the behavior of the system in response to carefully crafted requests to load data. 

For example, attackers could try to gain access to a password by loading different letters and digits and inferring whether they are in the password by how long it takes the system to load each letter and digit.

"It'll go through all of the alphabet letters up until it can infer what your password is," Bogdan Botezatu, director of threat research at Bitdefender, told ZDNet.

"So I can infer information about your password by querying things. I can infer information about encryption keys you have on the device, I can infer information about everything that goes into that cache".

With enough time, attackers could use this technique to gather vast amounts of sensitive data – especially when targeting servers acting as a hub for a whole organisation.

And because the attack isn't obvious to the user, it could potentially be exploited by a well-resourced hacking operation looking to gather intelligence over time.

An attacker with local access could also steal data belonging to the other users on the system or use information from kernel memory to mount, for instance, a privilege-escalation attack.   

"Don't think of this as the next big tool to exploit ransomware or regular malware, because it doesn't go like that. A side-channel attack is time consuming and it requires hours to pluck information from the CPU. For a cyber criminal trying to get their hands on quick information, there's phishing," Botezatu explained.

"But for a state-sponsored threat actor, targeting a high profile organisation, this thing is gold. Because they have all the time in the world to make guesses and this kind of attack doesn't leave an any forensic traces on computers," he added.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

Bitdefender worked with Microsoft and Intel over the course of a year to ensure systems are protected against SWAPGSAttack attacks – and users who've not yet applied July's Patch Tuesday updates are urged to do so to protect against the vulnerability before someone attempts to use it in the wild.

"We're aware of this industry-wide issue and have been working closely with affected chip manufacturers and industry partners to develop and test mitigations to protect our customers. We released security updates in July and customers who have Windows Update enabled and applied the security updates are protected automatically," a Microsoft spokesperson told ZDNet.

"Intel, along with industry partners, determined the issue was better addressed at the software level and connected the researchers to Microsoft. It takes the ecosystem working together to collectively keep products and data more secure and this issue is being coordinated by Microsoft," an Intel spokeperson told ZDNet via email. 

While difficult to conduct, attacks against hardware like SWAPGSAttack, Spectre, and Meltdown, are of high interest to sophisticated criminal groups. And because of the known vulnerabilities of CPU hardware, cyber criminals are likely to be examining ways of exploiting them that aren't currently known to security professionals.

"The CPU is still a vulnerable component of a computing system and most likely these style of attacks will keep popping up," said Botezatu.

"From an architecture perspective, the CPU has many windows which are avenues of attack and every time a window is opened and attacks the CPU, the CPU vendor closes that particular window, only to find new mechanisms to leverage the same vulnerability show up," he added.

Bitdefender has published a full technical analysis of SWAPGSAttack in the newly released report on the vulnerability.


Editorial standards