Modern CPUs have speculative execution capabilities, which improves processor performance. Depending on the design and architecture of the CPU, speculative execution can introduce side-channel-attack vulnerabilities.
Public | CVE | Alias(es) | CPUs Affected | Speculative Trigger | Impact | Mitigations | References |
---|---|---|---|---|---|---|---|
Jan 3, 2018 | CVE-2017-5753 | Spectre V1 NetSpectre (remote network attack vector) | Intel ARM | Branch prediction bounds check bypass | Cross- and intra-process (including kernel) memory disclosure | OS Compiler Browser | https://www.kb.cert.org/vuls/id/584653 https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability |
Jan 3, 2018 | CVE-2017-5715 | Spectre V2 | Intel AMD ARM | Branch target injection | Cross- and intra-process (including kernel) memory disclosure | Microcode | https://www.kb.cert.org/vuls/id/584653 https://www.amd.com/en/corporate/security-updates |
Jan 3, 2018 | CVE-2017-5754 | Spectre V3 Meltdown | Intel | Out-of-order execution | Kernel memory disclosure to userspace | OS | https://www.kb.cert.org/vuls/id/584653 https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html |
May 21, 2018 | CVE-2018-3640 | Spectre V3a (RSRE) | Intel ARM | System register read | Disclosure of system register values | Microcode | https://www.kb.cert.org/vuls/id/180049 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability |
May 21, 2018 | CVE-2018-3639 | Spectre V4 (SSB) | Intel AMD ARM | Memory reads before prior memory write addresses known | Cross- and intra-process (including kernel) memory disclosure | Microcode OS | https://www.kb.cert.org/vuls/id/180049 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability |
Jun 13, 2018 | CVE-2018-3665 | Lazy FP | Intel | Lazy FPU state restore | Leak of FPU state | OS | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html |
July 10, 2018 | CVE-2018-3693 | Spectre1.1 | Intel | Bounds check bypass store | Speculative buffer overflow Cross- and intra-process (including kernel) memory disclosure | OS | |
July 10, 2018 | N/A | Spectre1.2 | Intel | Read-only protection bypass | Overwrite read-only data and pointers Cross- and intra-process (including kernel) memory disclosure | OS | |
August 14, 2018 | CVE-2018-3615 | L1 Terminal Fault: SGX, Foreshadow | Intel | Transient out-of-order execution | SGX enclave memory disclosure | Microcode OS | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html |
August 14, 2018 | CVE-2018-3620 | L1 Terminal Fault: OS/SMM, Foreshadow-NG | Intel | Transient out-of-order execution | OS or SMM memory disclosure | Microcode OS | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html |
August 14, 2018 | CVE-2018-3646 | L1 Terminal Fault: VMM, Foreshadow-NG | Intel | Transient out-of-order execution | Virtual Machine Monitor (VMM) memory disclosure | Microcode OS | https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html |
The causes of these vulnerabilities are rooted in CPU hardware design choices intended to optimize performance.
https://lwn.net/Articles/755419/
https://pdfs.semanticscholar.org/2209/42809262c17b6631c0f6536c91aaf7756857.pdf
Spectre V1 has been demonstrated to bypass protections provided by Intel SGX. Intel has updated the SGX SDK to mitigate these vulnerabilities when the SGX enclaves are rebuilt.
https://software.intel.com/sites/default/files/managed/e1/ec/SGX_SDK_Developer_Guidance-CVE-2017-5753.pdf
Spectre V1 has also been demonstrated to access protections provided by the System Management Range Register (SMRR) to access protected System Management Mode (SMM) memory.
https://blog.eclypsium.com/2018/05/17/system-management-mode-speculative-execution-attacks/
Spectre V1 has also been demonstrated vulnerable to attacks directly over the network rather than through local code execution such as JavaScript. This remote attack is known as NetSpectre.
https://misc0110.net/web/files/netspectre.pdf
Lazy FP may particularly expose AES keys:
The FPU state may contain sensitive information such as cryptographic keys. As an example, the Intel AES instruction set (AES-NI) uses FPU registers to store round keys. It is only possible to exploit when the underlying operating system or hypervisor uses lazy FPU switching.
https://blog.cyberus-technology.de/posts/2018-06-06-intel-lazyfp-vulnerability.html