A research group has discovered a new vulnerability (CVE-2018-5407) in current Intel CPUs that allows malicious code to read any data from another process. The Side Channel Attack is directed to simultaneous multi-threading (SMT), which Intel implements as Hyper-Threading, and can clip data from a second thread to the same CPU core. Previous information suggests that a successful attack is extremely complex and the risk of attack is considered “moderate” (CVSS v3 score 4.8 out of 10). The five researchers from the Universities of Tampere (Finland) and Havana (Cuba) assume that the “PortSmash” baptismal vulnerability can fundamentally endanger all CPUs with SMT architecture. They’ve tested their discovery on Intel CPUs from the Skylake and Kaby Lake microarchitectures. Other CPU architectures with SMT, in particular AMD’s Ryzen, the researchers want to make next. However, Billy Brumley, one of the participants, is already convinced that AMD CPUs are also vulnerable, writes ZDNet. When running multiple threads concurrently on the same CPU core, the corresponding malicious code in one thread can read data from another thread. The proof-of-concept code for PortSmash (which the researchers have already provided on GitHub) reads a P-384 private key of a TLS encryption with OpenSSL (up to version 1.1.0h). Further technical details on PortSmash are expected to be provided by the researchers, which will soon be available from the Cryptology ePrint Archive titled “Port Contention for Fun and Profit”.
Brumley explained on ZDNet that PortSmash is running in userspace and does not need root privileges. The attack does not apply to the main memory or the cache. Rather, the researchers looked at sharing the execution unit of a CPU and determined from the occurring port contention (hence the name PortSmash) a timing that allowed them the side channel attack. Brumley sees a large attack surface mainly in IaaS environments (Infrastructure as a Service), in which virtual machines of several cloud customers – despite logical separation – have to share physical CPU cores. Intel has now confirmed the problem, but has not yet commented on a possible remedy from their own side, reports Ars Technica. Rather, software developers (especially library developers) should be careful to prevent possible side channel attacks. The OpenSSL developers have already responded by providing patches for versions 1.1.1 and 1.1.0i.
The summer also saw a side-channel attack on Intel CPUs called TLBleed, which also targeted hyper-threading, but also relied on information from the Translation Lookaside Buffer (a cache component). In the light of the previously known Specter loopholes, the OpenBSD development team decided to take the radical step of turning off Hyper-Threading in their distribution by default – which is what the PortSmash discoverers are currently recommending.