Experts propose a new variation of the Spectre attack to recover data from System Management Mode

Haythem Elmir
0 1
Read Time2 Minute, 44 Second

Researchers from Eclypsium proposed a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode.

Security experts from Eclypsium have devised a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode (SMM) (aka called ring -2).

The SMM is an operating mode of x86 CPUs in which all normal execution, including the operating system, is suspended.

When a code is sent to the SMM, the operating system is suspended and a portion of the UEFI/BIOS firmware executes various commands with elevated privileges and with access to all the data and hardware.

“The main benefit of SMM is that it offers a distinct and easily isolated processor environment that operates transparently to the operating system or executive and software applications.” readsWikipedia.

The SMM mode was first released with the Intel 386SL in the early 90s, Intel CPUs implements a memory protection mechanism known as a range register to protect sensitive contents of memory regions such as SMM memory.

SMM memory on Intel CPUs is protected by a special type of range registers known as System Management Range Register (SMRR).

Eclypsium experts based their study on a public proof-of-concept code for the Spectre variant 1 (CVE-2017-5753) vulnerability to bypass the SMRR mechanism and access to the content of the System Management RAM (SMRAM) that contains the SMM and where the SMM working data is executed.

“Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg. hypervisor, operating system, or application).” states the report published by Eclypsium.

“These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory. This can expose SMM code and data that was intended to be confidential, revealing other SMM vulnerabilities as well as secrets stored in SMM,” 

Spectre vulnerabilities

The experts ported the PoC code to a kernel driver and demonstrated it works from the kernel privilege level. Then they run they exploit code from the kernel privilege level against protected memory.

“The kernel-level PoC exploit provides access to different hardware interfaces, which gives attackers better control over the system hardware and access to different hardware interfaces such as physical memory, IO, PCI, and MMIO interfaces. It also provides access to interfaces at a higher privilege level, such as software SMI.” explained the researchers.

“Next, we integrated the PoC exploit into CHIPSEC in order to quickly expand our tests. In our first experiment, we tried to read protected SMRAM memory. We mapped the physical addresses of SMRAM into the virtual address space and then used the SMRAM addresses as the target of our exploit.” 

The experts believe that it is possible to obtain the same result by using Spectre variant 2 (CVE-2017-5715) can also achieve the same results.

Eclypsium reported the new attack technique to Intel in March. Intel replied that the security updates released for the Spectre variant 1 and variant 2 should be enough to mitigate this new attack.

to read the original article:

https://securityaffairs.co/wordpress/72695/hacking/spectre-smm.html

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

The ZipperDown Vulnerability could affect roughly 10% of iOS Apps

Experts from Chinese jailbreakers Pangu Lab, have recently discovered the ZipperDown flaw that could affect roughly 10% of iOS Apps. ZipperDown, is a recently discovered vulnerability that could affect thousands of iOS apps and maybe also Android users. The ZipperDown flaw was first reported by experts from Chinese jailbreakers Pangu Lab,  that described it as described as a […]