Overview
Modern CPUs have speculative execution capabilities, which improves processor performance. Depending on the design and architecture of the CPU, speculative execution can introduce side-channel-attack vulnerabilities.
Known Vulnerabilities
| Public | CVE | Alias(es) | CPUs Affected | Speculative Trigger | Impact | Mitigations | References |
|---|---|---|---|---|---|---|---|
| Jan 3, 2018 | CVE-2017-5753 | Spectre V1 NetSpectre (remote network attack vector) | Intel ARM | Branch prediction bounds check bypass | Cross- and intra-process (including kernel) memory disclosure | OS Compiler Browser | https://www.kb.cert.org/vuls/id/584653 https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability |
| Jan 3, 2018 | CVE-2017-5715 | Spectre V2 | Intel AMD ARM | Branch target injection | Cross- and intra-process (including kernel) memory disclosure | Microcode | https://www.kb.cert.org/vuls/id/584653 https://www.amd.com/en/corporate/security-updates |
| Jan 3, 2018 | CVE-2017-5754 | Spectre V3 Meltdown | Intel | Out-of-order execution | Kernel memory disclosure to userspace | OS | https://www.kb.cert.org/vuls/id/584653 https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html |
| May 21, 2018 | CVE-2018-3640 | Spectre V3a (RSRE) | Intel ARM | System register read | Disclosure of system register values | Microcode | https://www.kb.cert.org/vuls/id/180049 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability |
| May 21, 2018 | CVE-2018-3639 | Spectre V4 (SSB) | Intel AMD ARM | Memory reads before prior memory write addresses known | Cross- and intra-process (including kernel) memory disclosure | Microcode OS | https://www.kb.cert.org/vuls/id/180049 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability |
| Jun 13, 2018 | CVE-2018-3665 | Lazy FP | Intel | Lazy FPU state restore | Leak of FPU state | OS | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html |
| July 10, 2018 | CVE-2018-3693 | Spectre1.1 | Intel | Bounds check bypass store | Speculative buffer overflow Cross- and intra-process (including kernel) memory disclosure | OS | |
| July 10, 2018 | N/A | Spectre1.2 | Intel | Read-only protection bypass | Overwrite read-only data and pointers Cross- and intra-process (including kernel) memory disclosure | OS | |
| August 14, 2018 | CVE-2018-3615 | L1 Terminal Fault: SGX | Intel | Transient out-of-order execution | SGX enclave memory disclosure | Microcode OS | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html |
| August 14, 2018 | CVE-2018-3620 | L1 Terminal Fault: OS/SMM | Intel | Transient out-of-order execution | OS or SMM memory disclosure | Microcode OS | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html |
| August 14, 2018 | CVE-2018-3646 | L1 Terminal Fault: VMM | Intel | Transient out-of-order execution | Virtual Machine Monitor (VMM) memory disclosure | Microcode OS | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html |
Notes
General
The causes of these vulnerabilities are rooted in CPU hardware design choices intended to optimize performance.
https://lwn.net/Articles/755419/
https://pdfs.semanticscholar.org/2209/42809262c17b6631c0f6536c91aaf7756857.pdf
Spectre V1
Spectre V1 has been demonstrated to bypass protections provided by Intel SGX. Intel has updated the SGX SDK to mitigate these vulnerabilities when the SGX enclaves are rebuilt.
https://software.intel.com/sites/default/files/managed/e1/ec/SGX_SDK_Developer_Guidance-CVE-2017-5753.pdf
Spectre V1 has also been demonstrated to access protections provided by the System Management Range Register (SMRR) to access protected System Management Mode (SMM) memory.
https://blog.eclypsium.com/2018/05/17/system-management-mode-speculative-execution-attacks/
Spectre V1 has also been demonstrated vulnerable to attacks directly over the network rather than through local code execution such as JavaScript. This remote attack is known as NetSpectre.
https://misc0110.net/web/files/netspectre.pdf
Lazy FP
Lazy FP may particularly expose AES keys:
The FPU state may contain sensitive information such as cryptographic keys. As an example, the Intel AES instruction set (AES-NI) uses FPU registers to store round keys. It is only possible to exploit when the underlying operating system or hypervisor uses lazy FPU switching.
https://blog.cyberus-technology.de/posts/2018-06-06-intel-lazyfp-vulnerability.html