Researchers from Google and Microsoft have revealed a new CPU design flaw affecting most modern processors similar to the already revealed Spectre and Meltdown flaws.
The flaw affects CPUs made by Intel, AMD, Arm, and IBM that use speculative execution to boost performance by predicting which instructions will be executed next.
The new flaw adds a fourth variant to Spectre Variant 1, Spectre Variant 2 and Meltdown Variant 3 that were disclosed in January.
Variant 4 is a speculative store bypass (SSB) flaw tagged as CVE-2018-3693 that may allow a local attacker to perform cache timing side-channel analysis to read privileged memory. The flaw was independently discovered by Google Project Zero’s Jann Horn, who found the first three variants, and Microsoft researcher Ken Johnson.
Another flaw in CPU speculative execution dubbed Variant 3a, which is more closely related to Meltdown, is called Rogue System Register Read (RSRE) and has been assigned CVE-2018-3640.
Other software could be vulnerable however Microsoft hasn’t identified any of its own software that meet the specific instruction sequences that would need to occur in order to exploit Variant 4. Hence, the company considers the risk to customers “low”.
Intel has developed and distributed beta microcode updates to its partners and also considers the bug to of “moderate severity”. Nonetheless, the flaws affects all Intel Core chips through to the current 8th Generation processors, as well as Xeon, Atom, Celeron and Pentium processors.
Details of the flaw were published today because it exceeded Google Project Zero’s 90 day disclosure deadline plus the group’s 14 day grace period. Horn reported it on February 6 to AMD, Arm, and Intel. According to Google, Microsoft in May informed Google that it had already disclosed the issue to industry partners in November 2017 as part of its Coordinated Vulnerability Disclosure process.
Another reason Variant 4 is considered less severe than the first batch of Meltdown and Spectre flaws is that mitigations for Spectre Variant 1 employed by browsers do a lot to mitigate Variant 4. These browser mitigations introduced in Chrome, Safari, Edge, IE, and Firefox reduced the precision of timers that an attacker could use to read values from memory necessary to exploit the flaws.
Microsoft posted a table showing that all mitigations that apply to Variant 1 also cover Variant 4 with the exception of “Speculative Store Bypass Disable” (SSDB), which Intel and AMD are delivering in new microcode updates that will be distributed by hardware vendors as BIOS and software updates.
Interestingly, Intel notes that its SSDB microcode update will include a bit that sets the mitigation to be off by-default and the company expects most of its industry software partners to keep the default-off option.
That could be because no one has observed the flaw being used in attacks in the wild yet. However, the optional protection may also cause a significant performance overhead too.
In testing, Intel found that with SSDB enabled CPU performance could be negatively affected by between 2 to 8 percent on client and server hardware. Its microcode update also addresses Variant 3a but Intel has found "no meaningful performance impact” of this mitigation on client or server hardware. AMD also recommends the mitigation remain disabled.