Skip to end of metadata
Go to start of metadata

Overview

Modern CPUs have speculative execution capabilities, which improves processor performance. Depending on the design and architecture of the CPU, speculative execution can introduce side-channel-attack vulnerabilities.

Known Vulnerabilities

PublicCVEAlias(es)CPUs AffectedSpeculative TriggerImpactMitigationsReferences
Jan 3, 2018CVE-2017-5753

Spectre V1

NetSpectre ( network attack vector)

Intel
ARM
Branch prediction bounds check bypassCross- and intra-process (including kernel) memory disclosure

OS

Compiler

Browser

https://www.kb.cert.org/vuls/id/584653

https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Jan 3, 2018CVE-2017-5715Spectre V2Intel
AMD
ARM
Branch target injectionCross- and intra-process (including kernel) memory disclosureMicrocode

https://www.kb.cert.org/vuls/id/584653

https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html

https://www.amd.com/en/corporate/security-updates
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Jan 3, 2018CVE-2017-5754

Spectre V3

Meltdown

IntelOut-of-order executionKernel memory disclosure to userspaceOShttps://www.kb.cert.org/vuls/id/584653
https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
May 21, 2018CVE-2018-3640Spectre V3a (RSRE)Intel
ARM
System register readDisclosure of system register valuesMicrocode

https://www.kb.cert.org/vuls/id/180049

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

May 21, 2018CVE-2018-3639Spectre V4 (SSB)Intel
AMD
ARM

Memory reads before prior memory write addresses knownCross- and intra-process (including kernel) memory disclosure

Microcode

OS


https://www.kb.cert.org/vuls/id/180049

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
https://www.amd.com/en/corporate/security-updates

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Jun 13, 2018CVE-2018-3665Lazy FPIntelLazy FPU state restoreLeak of FPU stateOShttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html
July 10, 2018CVE-2018-3693Spectre1.1Intel

Bounds check bypass store

Speculative buffer overflow

Cross- and intra-process (including kernel) memory disclosure

OS

https://01.org/security/advisories/intel-oss-10002

https://arxiv.org/abs/1807.03757

July 10, 2018N/ASpectre1.2IntelRead-only protection bypass

Overwrite read-only data and pointers

Cross- and intra-process (including kernel) memory disclosure

OS

https://01.org/security/advisories/intel-oss-10002

https://arxiv.org/abs/1807.03757

August 14, 2018CVE-2018-3615

L1 Terminal Fault: SGX

Foreshadow-SGX

IntelTransient out-of-order executionSGX enclave memory disclosure

Microcode

TCB Recovery

https://www.kb.cert.org/vuls/id/982149

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://foreshadowattack.eu/

https://foreshadowattack.eu/foreshadow.pdf

August 14, 2018CVE-2018-3620

L1 Terminal Fault: OS/SMM

Foreshadow-OS

Foreshadow-NG

IntelTransient out-of-order executionOS or SMM memory disclosure

Microcode

OS

https://www.kb.cert.org/vuls/id/982149

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://foreshadowattack.eu/

https://foreshadowattack.eu/foreshadow-NG.pdf

August 14, 2018CVE-2018-3646

L1 Terminal Fault: VMM

Foreshadow-VMM

Foreshadow-NG

IntelTransient out-of-order executionVirtual Machine Monitor (VMM) memory disclosure

Microcode

OS

https://www.kb.cert.org/vuls/id/982149

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

https://foreshadowattack.eu/

https://foreshadowattack.eu/foreshadow-NG.pdf

Notes

General

The causes of these vulnerabilities are rooted in CPU hardware design choices intended to optimize performance.
https://lwn.net/Articles/755419/
https://pdfs.semanticscholar.org/2209/42809262c17b6631c0f6536c91aaf7756857.pdf

Spectre V1

Spectre V1 has been demonstrated to bypass protections provided by Intel SGX. Intel has updated the SGX SDK to mitigate these vulnerabilities when the SGX enclaves are rebuilt. 
https://software.intel.com/sites/default/files/managed/e1/ec/SGX_SDK_Developer_Guidance-CVE-2017-5753.pdf

Spectre V1 has also been demonstrated to access protections provided by the System Management Range Register (SMRR) to access protected System Management Mode (SMM) memory.
https://blog.eclypsium.com/2018/05/17/system-management-mode-speculative-execution-attacks/

Spectre V1 has also been demonstrated vulnerable to attacks directly over the network rather than through local code execution such as JavaScript. This remote attack is known as NetSpectre.
https://misc0110.net/web/files/netspectre.pdf

Lazy FP

Lazy FP may particularly expose AES keys:

The FPU state may contain sensitive information such as cryptographic keys. As an example, the Intel AES instruction set (AES-NI) uses FPU registers to store round keys. It is only possible to exploit when the underlying operating system or hypervisor uses lazy FPU switching.
https://blog.cyberus-technology.de/posts/2018-06-06-intel-lazyfp-vulnerability.html

  • No labels