Researcher: Spectre CPU flaws can be used to break into the highly privileged CPU mode on Intel x86 systems

Intel AMT Security BranchScope

Security experts from Eclypsium have devised a new Spectre attack variant that allows an attacker to recover data stored in CPU System Management Mode (SMM).

SMM is an operating mode of the x86 CPU. In this operating mode, all normal execution commands including the operating system are suspended. When the code is sent to SMM, the operating system is suspended, and part of the UEFI / BIOS firmware executes various commands with higher authority and accesses all data and hardware.

Intel AMT Security BranchScope

Eclypsium experts based on the research of the common proof of concept code on the variant of Spectre (CVE-2017-5753) to bypass the Intel’s System Management Range Register (SMRR) mechanism and access the contents of the system management memory (SMRAM) containing the SMM (the working data of the SMM in the system Management memory is executed). Eclypsium’s research shows that because SMM usually has privileged access to physical memory, including the separation from the operating system, Spectre attacks can uncover secrets such as memory (such as hypervisors, operating systems, or applications). These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including the memory that should be protected by range registers, such as SMM memory. This can expose the original confidential SMM code and data, reveal other SMM loopholes, and secrets stored in the SMM.

The researchers explained: “These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory. This can expose SMM code and data that was intended to be confidential, revealing other SMM vulnerabilities as well as secrets stored in SMM. Additionally, since we demonstrate that the speculative memory access occurs from the context of SMM, this could be used to reveal other secrets in memory as well.

Eclypsium reported new attack techniques to Intel in March. The security updates released by Intel’s reply to Spectre variant 1 and Spectre variant 2 should be sufficient to mitigate this new attack.

Source: ZDNet