Security vendor Bitdefender has disclosed details of a new speculative execution security vulnerability in Intel CPUs dating back to 2012, which could be used to steal sensitive information including passwords from a computer. The newly discovered issue, named SWAPGS, could also negate all the patches so far released for the infamous Spectre and Meltdown flaws. According to Bitdefender, the issue was first discovered over a year ago, and the company has been working with Intel and other ecosystem stakeholders in order to minimise its impact. Public disclosure was withheld till just now, at the ongoing Black Hat security conference, where Bitdefender has released a detailed whitepaper on its research.
The flaw follows the highly publicised Spectre and Meltdown speculative execution vulnerabilities, as well as other similar flaws that have been discovered since. All Intel CPUs starting with the Ivy Bridge generation, first released in 2012, are particularly affected by these issues due to the fundamental design of their architecture. AMD has released a statement saying that it believes its products are unaffected, though this has not yet been confirmed by third-party research.
Speculative execution refers to a CPU’s way of speeding up operations by pre-emptively running instructions that might be needed in the future, in order to make sure that the CPU pipeline is not waiting for data and can successfully utilise all its resources simultaneously rather than waiting for one instruction to complete before its result can be applied to further calculations. Security flaws arise when the CPU is allowed to speculatively execute instructions that require secure data, which should only be accessed when sufficient privileges are granted. Attackers can craft instructions that intercept that data while it is being accessed in this manner.
The SWAPGS instruction is used by Intel CPUs when switching between the secure (kernel mode) and open (user mode). A sophisticated attacker could exploit the way that Windows issues instructions to intercept sensitive data that should have been in the privileged kernel memory space.
In a statement published by The Inquirer, Intel has stated: “Intel, along with industry partners, determined the issue was better addressed at the software level and connected the researchers to Microsoft. It takes the ecosystem working together to collectively keep products and data more secure, and this issue is being coordinated by Microsoft.”
Microsoft released a security patch addressing this issue in July 2019 without publicising it, but has now published its own disclosure. This patch is recommended, since previous patches for Spectre and Meltdown, amongst other similar issues, will not protect against SWAPGS.
Red Hat has also published an advisory stating that it does not believe that SWAPGS can be exploited on operating systems based on the Linux kernel, but users can update and reboot their systems just in case.
Bitdefender has published a detailed whitepaper on the SWAPGS vulnerability, in which it states that the AMD CPUs it tested were not affected, and that it doesn’t believe that other architectures including ARM will be vulnerable, though there is a possibility that other equivalent exploits might exist.