NetSpectre Attack steals CPU information over the network.
A team of security researchers has discovered a new Spectre attack that can be launched over the network and does not require the attacker to host code on a targeted machine.
This new attack codenamed, ‘NetSpectre’, is a new remote side-channel attack, which is related to Spectre variant 1. It abuses speculative execution to perform bounds-check bypass and can be used to defeat address-space layout randomization on the remote system.
Speculative execution is a core component of modern processors design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues and is discarded if not.
This issue could allow an attacker to write and execute malicious code that could potentially be exploited to extract data from previously-secured CPU memory, including passwords, cryptographic keys, and other sensitive information.
Instead of relying on covert cache channel, researchers demonstrated NetSpectre attack using the AVX-based covert channel that allowed them to capture data at a deficient speed of 60 bits per hour from the target system.
“Depending on the gadget location, the attacker has access to either the memory of the entire corresponding application or the entire kernel memory, typically including the entire system memory,” the researchers said.
To do so, all a remote attacker needs to do is sending a series of request packets to the target machine and measures the response time to leak a secret value from the machine’s memory.
“We verified that our NetSpectre attacks work in local-area networks as well as between virtual machines in the Google cloud,” the researchers said.
We present NetSpectre: A remote Spectre attack without attacker-controlled code on the victim, and the first Spectre attack which works without the cache as covert channel. https://t.co/qEJ2YMROAh /cc @lavados @mlqxyz pic.twitter.com/5T1VzZDvOJ
— Michael Schwarz (@misc0110) July 26, 2018
Existing mitigations should prevent NetSpectre
The team reported this vulnerability to Intel in March this year. And the New Spectre attack was fixed by Intel during the initial set of patches for the speculative execution design blunders.
So, if you have already updated your code and applications to mitigate previous Spectre exploits, you should not worry about the ‘NetSpectre’ attack.
The details of the NewSpectre attack comes almost two weeks after Intel paid out a $100,000 bug bounty to a team of researchers for finding and reporting new processor vulnerabilities that were also related to Spectre variant one.
In May this year, security researchers from Microsoft and Google also reported a Spectre Variant 4 impacting modern CPUs in millions of computers, including those marketed by Apple.
No malware has so far been found exploiting any of the Spectre or Meltdown variants, or their sub-variants, in the wild.
Intel said it has updated its white paper [PDF] titled “Analyzing potential bounds check bypass vulnerabilities” to include information related the ‘NetSpectre’ attack.