What a horrible year in security for Intel. First we had the Meltdown and Spectre vulnerabilities that never seem to go away. Now Intel has announced a new speculative execution side channel vulnerability involving “Lazy FP state restore” that could allow a malicious program to read data being used by other processes.
According to Intel this new vulnerability affects all Intel Intel Core-based microprocessors and is a bug in the actual CPU, so it does not matter what operating system the user is running. It could be Windows, Linux, BSD, or any other operating running an an Intel Core-based CPU and using “Lazy FPU context switching”.
“Lazy FPU context switching” is a performance optimization feature used by operating systems that only saves and restores the FPU (Floating Point Unit) registers, which are locations in the CPU that are used to store floating point numbers, when needed. A bug in the actual Intel CPUs allows another process to access these registers and the data within them.
The problem is that these numbers are used for a variety of tasks, including cryptographic equations. This could allow an attacker to sniff out numbers that make it easier to crack an encryption key.
Thankfully, researchers statde that this vulnerability would be difficult to execute via a web browser, so its impact is less than previous speculative execution vulnerabilities such as Meltdown. You can read more about the technical aspects of this vulnerability in this Twitter thread by Colin Percival.
So about that “Lazy FPU” vulnerability (CVE-2018-3665)… this probably ought to be a blog post, but the embargo just ended and I think it’s important to get some details out quickly.
— Colin Percival (@cperciva) June 13, 2018
Intel has told internetnewsblog that this vulnerability has been addressed by oeprating system and hypervisor software for many years.
“This issue, known as Lazy FP state restore, is similar to Variant 3a. It has already been addressed for many years by operating system and hypervisor software used in many client and data center products. Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks. We continue to believe in coordinated disclosure and we are thankful to Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH, Zdenek Sojka from SYSGO AG, and Colin Percival for reporting this issue to us. We strongly encourage others in the industry to adhere to coordinated disclosure as well.”
Vendors rush to release advisories
Rumors about this bug have been circulating since OpenBSD and DragonflyBSDDragonflyBSD posted notices about patches that fixed rumored Intel vulnerabilities. These notices indicated that there was a supposed hardware issue related to the FPU registers in Intel CPUs and decided to proactively patch their operating systems.
The good news is that this vulnerability does not require new CPU microcodes from Intel, but can be fixed instead by operating system updates. Since Intel’s advisory was posted, various Linux distributions and Microsoft have posted advisories related to this new vulnerability.
Below is a list of links to current advisories or information.
- Redhat – This will be resolved by future updates for newer processors. Redhat has also included information on how to enable Eager FPU restore mode, which is not affected by this vuln.
- Linux – It appears Eager FPU state restore was enabled on all CPUs in 2016. So if you are using a newer Kernel, you are safe from this vulnerability. This patch is also being backported to older supported versions.
- Xen Hypervisor
- Microsoft ADV180016 – This will be resolved by upcoming updates.
As more advisories are posted, we will update this article.
This is a developing story and will be updated as more information becomes available.
Updated 6/15/18 00:10: Updated to include statement from Intel