Weaponized Spectre Exploit Spotted

[Mr. Bluntman]

Last month, a "fully weaponized exploit for the Spectre CPU vulnerability" was uploaded to the malware scanning website VirusTotal, which makes this the first exploit capable of doing real, actual harm to anything running vulnerable CPUs.

This is disconcerting to say the least. I don't want to wear a tinfoil hat, but to the unwise, I can see this creating a lot of havoc for some people and businesses that aren't up to date on patching vulnerabilities.

Link: https://fudzilla.com/news/52442-spectre-gets-weaponised

What are your thoughts on this? Do you think this is something to be concerned about or not? Discuss.

 

[legcramp]

Glad I swapped to AMD

 

[Zarathustra[H]]

I thought Spectre was primarily involved with processes being able to steal data from eachother due to how CPU branch predicition and speculative execution was implemented. Because of this we were most concerned with shared hardware running VM's from third parties.

Most of us don't use our systems that way.

For those that do, we should be able to just disable CPU branch predicition and speculative execution temporarily until the affected systems can be replaced. Yes, there would be a huge performance loss, but not the end of the world. I mean, Spectre has been mitigated in hardware in all CPU's released since 2019, so at some point these older systems would need to be upgraded anyway.

 

[Zarathustra[H]]

Glad I swapped to AMD

Pre-2019 AMD CPU's are not immune to Spectre.

As I recall, the only known CPU's with branch prediction and speculative execution (almost all modern CPU's) released prior to 2019 that are immune to Spectre are IBM's POWER9 Arch, and a handful of ARM architectures (A53, A32, A7 and A5)

 

[Sycraft]

I thought Spectre was primarily involved with processes being able to steal data from eachother due to how CPU branch predicition and speculative execution was implemented. Because of this we were most concerned with shared hardware running VM's from third parties.

That seems to be what these are doing, probably? The article is super light on details and doesn't have any links to anything useful. However it says the Linux one steals /etc/shadow which is the password database for the system. That would then allow them to try and crack the passwords.

 

[Zarathustra[H]]

That seems to be what these are doing, probably? The article is super light on details and doesn't have any links to anything useful. However it says the Linux one steals /etc/shadow which is the password database for the system. That would then allow them to try and crack the passwords.

Yeah, so that sounds like a form of privelege escalation.

I guess the saving grace here is that they already have to be on your machine in order to use this attack.

 

[vegeta535]

At least intel's USB ports work!

 

[THUMPer]

At least intel's USB ports work!

Yeah, I guess that's what you get for not innovating.

 

[Sycraft]

Yeah, so that sounds like a form of privelege escalation.

I guess the saving grace here is that they already have to be on your machine in order to use this attack.

A weak form if all they can do is steal the shadow file, as the passwords are hashed and salted so good ones are hard to crack. Maybe the exploit is something more serious, like I said the article is garbage. A better article claims that it does that (and the same thing on Windows with the SAM database) but on Windows can also steal Kerberos tickets if you are in a domain and use those to log in to the other system and move laterally.

So ya, like most information leak exploits it is not very relevant to home users, and something to watch for in an enterprise but not as big a deal as it might first sound.

For Linux systems the risk is that if you have weak passwords in your shadow file, those could be cracked. If one of those weak passwords is root they could then get root access, if those passwords are reused elsewhere they could lead to logins in other places. However if the passwords are strong, it really isn't a problem as rainbow tables and other precomputed attacks don't work against salted hashes and brute forcing SHA-256/512 which is what most use these days, is pretty damn slow.

For Windows systems getting the SAM file is much the same, but can be easier to crack since it uses a weaker hash and unsalted hashes. It does have other encryption on top, particularly in Windows 10, but presuming you get right at the files it is easier to deal with. Still a sufficiently strong password means you can't do anything with it but it has to be stronger to resist an attack. This is for local accounts, or domain accounts in a domain that allows account caching. Also in a domain you have Kerberos tickets that allow for single sign on, those can be stolen, and then used to log in to other systems (for a limited time). So anything that given user has access to they could potentially get at.

So not something to ignore, but not something to get super worked up about. It could be used to steal credentials similar to a phishing attempt or keylogger.

 

[1_rick]

A weak form if all they can do is steal the shadow file, as the passwords are hashed and salted so good ones are hard to crack.

All those miners running GPU farms can take a break & run password crackers for a while, maybe.

 

[Red Falcon]

Pre-2019 AMD CPU's are not immune to Spectre.

As I recall, the only known CPU's with branch prediction and speculative execution (almost all modern CPU's) released prior to 2019 that are immune to Spectre are IBM's POWER9 Arch, and a handful of ARM architectures (A53, A32, A7 and A5)

It was only 1 out of the three versions of Spectre that AMD CPUs were vulnerable to, and it required root permissions to pull off, pretty much making the concern of it null and void.
I believe it was the same for ARM CPUs from the Cortex variants and later; pre-Cortex were 100% immune.

 

[Red Falcon]

Yeah, so that sounds like a form of privelege escalation.

I guess the saving grace here is that they already have to be on your machine in order to use this attack.

Not necessarily.
Going from one hosted VM to another using this, just like the original proof-of-concept exploit, would definitely do the trick.

This is probably a bigger concern for enterprises, hosting services, and data centers more so than personal use, but that doesn't give it a pass to remain unsecure.

 

[nilepez]

For Windows systems getting the SAM file is much the same, but can be easier to crack since it uses a weaker hash and unsalted hashes. It does have other encryption on top, particularly in Windows 10, but presuming you get right at the files it is easier to deal with. Still a sufficiently strong password means you can't do anything with it but it has to be stronger to resist an attack. This is for local accounts, or domain accounts in a domain that allows account caching. Also in a domain you have Kerberos tickets that allow for single sign on, those can be stolen, and then used to log in to other systems (for a limited time). So anything that given user has access to they could potentially get at.

So not something to ignore, but not something to get super worked up about. It could be used to steal credentials similar to a phishing attempt or keylogger.

A Weak windows password or weak passwords for things inside the SAM file? If it's internal to the SAM file, does it matter for a home user? I"m not really clear what passwords would be in there.

 

[Sycraft]

A Weak windows password or weak passwords for things inside the SAM file? If it's internal to the SAM file, does it matter for a home user? I"m not really clear what passwords would be in there.

User accounts are what is in the SAM file. For a home system, ya not much really useful. However what could happen is if the password they use for their local account is the same as online accounts. But this really is an enterprise type attack.

 

[ElementDave]

See:
https://news.ycombinator.com/item?id=26301326
https://lwn.net/Articles/847613/

 

[chithanh]

I thought Spectre was primarily involved with processes being able to steal data from eachother due to how CPU branch predicition and speculative execution was implemented. Because of this we were most concerned with shared hardware running VM's from third parties.

Spectre can also be exploited in a Web browser via JavaScript. Which is not suprising given that other hardware vulnerabilities (Rowhammer, Meltdown, Zombieload, etc.) are similarly exploitable via the browser. Most browsers have mitigations now, but these mostly rely on making clocks less accurate. If you find a suitable substitute clock, then you can circumvent the mitigation.

 

[nilepez]

User accounts are what is in the SAM file. For a home system, ya not much really useful. However what could happen is if the password they use for their local account is the same as online accounts. But this really is an enterprise type attack.

Thanks. I think I just need to update the bios on my computer and I’m protected (6700k using a Maximus VIII MB), which suits me fine, since I don’t feel like building a new computer (this one is good enough).

 

[Red Falcon]

Thanks. I think I just need to update the bios on my computer and I’m protected (6700k using a Maximus VIII MB), which suits me fine, since I don’t feel like building a new computer (this one is good enough).

It's good enough right now.
After you patch, that might might be a different story.

I patched my i7 6700K Z170 motherboard up until it was no longer supported in late 2019, and by the end the performance felt like an i5 6500 at best.
Definitely be secure, just be aware of the upcoming performance penalties, depending on the task.

These patches hit the performance of Skylake and Kaby Lake the hardest, unfortunately.

 

[nilepez]

It's good enough right now.
After you patch, that might might be a different story.

I patched my i7 6700K Z170 motherboard up until it was no longer supported in late 2019, and by the end the performance felt like an i5 6500 at best.
Definitely be secure, just be aware of the upcoming performance penalties, depending on the task.

These patches hit the performance of Skylake and Kaby Lake the hardest, unfortunately.

Well that sucks. I guess on the plus side, I’ve had this rig for over 5 years, so I can’t say i didn’t get my money’s worth out of it.

 

[Sycraft]

Thanks. I think I just need to update the bios on my computer and I’m protected (6700k using a Maximus VIII MB), which suits me fine, since I don’t feel like building a new computer (this one is good enough).

Updated Windows 10 also has mitigations built in to it.

 

[Red Falcon]

Well that sucks. I guess on the plus side, I’ve had this rig for over 5 years, so I can’t say i didn’t get my money’s worth out of it.

Tell me about it, and that's exactly how I felt, haha.
If all you do is gaming then it might not make too much of a hit, but for VMs, video editing, and anything else it was most definitely noticeable.

Updated Windows 10 also has mitigations built in to it.

You're right, there were quite a few, depending on the OS, such as the Meltdown patch.
Not all of these were fixable at the OS-level, and many had to alter the microcode in the BIOS/UEFI, and that can only happen at boot.

 

[travm]

Pre-2019 AMD CPU's are not immune to Spectre.

As I recall, the only known CPU's with branch prediction and speculative execution (almost all modern CPU's) released prior to 2019 that are immune to Spectre are IBM's POWER9 Arch, and a handful of ARM architectures (A53, A32, A7 and A5)

My understanding was that "technically" the AMD CPU's were vulnerable, but researchers weren't able to demonstrate the vulnerability. Whereas on Intel hardware they could demonstrate it. Possibly more difficult to exploit on the AMD chips?

 

[nilepez]

Tell me about it, and that's exactly how I felt, haha.
If all you do is gaming then it might not make too much of a hit, but for VMs, video editing, and anything else it was most definitely noticeable.

You're right, there were quite a few, depending on the OS, such as the Meltdown patch.
Not all of these were fixable at the OS-level, and many had to alter the microcode in the BIOS/UEFI, and that can only happen at boot.

I'm actually pretty light on computing these days, but I may get back into photography (or at least going back through the thousands of unprocessed photos i've got sitting on here. Gaming I don't do much of and I'm honestly thinking of either moving to a console or building a small rig to attach to my TV for gaming, but that's not a high priority right now....most of my gaming these days consists of pinball simulators, which I can do on an Xbox or over steam link

 

[Lakados]

My understanding was that "technically" the AMD CPU's were vulnerable, but researchers weren't able to demonstrate the vulnerability. Whereas on Intel hardware they could demonstrate it. Possibly more difficult to exploit on the AMD chips?

How AMD handles the memory and cache does make it more difficult to actually get any out of the exploits, and part of the Specter/Meltdown and other Side Channel exploits involves the Intel Management Engine Interface which AMD doesn't have an equivalent off so the side-channel attacks don't get the same level of access to the CPU so you have to go about it in a more roundabout manner that requires root-level access to start. So really if you can get an AMD system to the point where you can exploit it you have already gotten it to the point where it's not needed, there are just easier ways to break into the system in their case. Don't for a minute think that AMD's are more secure on the firewall hardening side of things I have to run a profile for AMD just as much as I do for Intel they just have different exploits, and due to market share and bug bounty programs Intels are just far more prominent.