A newly discovered chip vulnerability leaves owners of most Core processors susceptible to yet another side channel attack similar to Spectre and Meltdown. Fortunately, the fallout from this one shouldn't be as far reaching as those, nor is it as serious.
In a security bulletin, Intel refers to the new attack vector as a "Lazy FP state restore' bug. Red Hat is calling it a "Lazy FPU Restore" flaw. Both refer to the same thing, which is a speculative execution side channel attack affecting Sandy Bridge and newer Core processors.
"System software may utilize the Lazy FP state restore technique to delay the restoring of state until an instruction operating on that state is actually executed by the new process. Systems using Intel Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel," Intel explains.
Put another way, the flaw provides another means for an attacker to pluck sensitive information from affected systems, and specifically from running applications, including encrypted operations. The bug takes advantage of a performance optimization technique called FPU context switching.
"A task/context switch occurs when a user application calls a kernel function or when a process is preempted to schedule the next one in the queue. Upon a task switch, the processor saves its current execution context (various registers, instruction and stack pointers, etc.) and loads the context of the new process. While doing so, it can defer restoring of FPU/SSE context state, because not all applications use the Floating Point Unit (FPU)," Red Hat explains.
A bug in Intel's Core processors allows an attacker to access those various registers and the information they contain. Colin Percival, a computer scientist and FreeBSD security officer, points out that AES encryption keys are almost always stored in SSE registers, which are affected by this bug. He also notes that there is a "narrow window for execution," and that "it's much harder than Meltdown was."
So about that "Lazy FPU" vulnerability (CVE-2018-3665)... this probably ought to be a blog post, but the embargo just ended and I think it's important to get some details out quickly.June 13, 2018
Intel lists the vulnerability as only "Moderate," adding that it's already been patched in many instances.
"The Lazy FP state restore issue is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products," Intel told HotHardware. "Our industry partners are working on software updates to address the issue for the remaining impacted environments and we expect these updates to be available in the coming weeks. We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well."
According to BleepingComputer, this vulnerability does not require any microcode updates like Spectre and Meltdown did. Instead, they can be fixed entirely by OS patches. Furthermore, those patches are not expected to introduce any performance penalties.