New Side-Channel Vulnerability Discovered in Intel CPUs
A team of security researchers has identified a significant side-channel vulnerability in Intel CPUs, which could allow attackers to extract sensitive information, including passwords and cryptographic keys, from other processes within the same CPU core utilizing simultaneous multi-threading (SMT). Codenamed PortSmash (CVE-2018-5407), this vulnerability adds to a growing list of critical side-channel vulnerabilities that have emerged recently, including notable threats like Meltdown, Spectre, TLBleed, and Foreshadow.
This discovery was made by researchers from Tampere University of Technology in Finland and the Technical University of Havana in Cuba. The vulnerability exploits Intel’s Hyper-Threading technology, which, through its implementation of simultaneous multi-threading, divides each physical core of a processor into virtual threads, enabling the execution of multiple instruction streams simultaneously. While this design enhances performance, it inadvertently creates an opportunity for one thread to observe the activities of another running on the same core.
The researchers articulated their findings, noting that “the leakage originates from the shared execution engine on SMT architectures,” indicating that port contention could be used to construct a timing side-channel, allowing the exfiltration of information from parallel processes sharing a core. By deploying a malicious PortSmash process alongside a legitimate victim process, an attacker can glean information by measuring the time taken for various operations, effectively snooping on the victim’s activities.
In a proof-of-concept experiment, the researchers demonstrated the PortSmash attack against the OpenSSL cryptographic library, specifically targeting versions up to and including 1.1.0h. Their efforts successfully extracted the private decryption key through a malicious process cohabiting the same physical core as the OpenSSL thread. Currently, the attack has been verified on Intel’s Kaby Lake and Skylake processor architectures, with suspicions that it may also affect other SMT architectures, including those produced by AMD, albeit with some necessary code modifications.
In light of previous vulnerabilities, Theo de Raadt, founder of OpenBSD and leader of the OpenSSH project, urged users back in August to disable SMT or Hyper-Threading in Intel BIOS settings. He labeled SMT as inherently flawed due to its resource-sharing practices between CPU instances, a design choice that lacks essential security measures. His foresight predicted further hardware issues related to SMT’s interaction with speculative execution in Intel CPUs, potentially exacerbating future threats.
To mitigate the PortSmash vulnerability, the research team alerted Intel’s security unit last month, but lack of timely patching has led them to publicize their findings. Their imminent publication of a detailed paper titled Port Contention for Fun and Profit will expound further on the attack methodology.
For immediate protection, organizations are advised to disable SMT or Hyper-Threading via BIOS settings until Intel distributes security patches. OpenSSL users are encouraged to upgrade to version 1.1.1 or later for improved security measures. In recent efforts, the OpenBSD initiative had already disabled Intel’s Hyper-Threading to protect against previously known vulnerabilities, showcasing the heightened awareness and precautionary measures within the cybersecurity landscape. Meanwhile, AMD is actively investigating the implications of the PortSmash vulnerability for its product lines.
As the cybersecurity community continues to monitor and respond to evolving threats, understanding the tactics employed in these attacks through frameworks such as the MITRE ATT&CK Matrix is crucial. Potential adversary tactics related to PortSmash could include initial access through external scripts, privilege escalation via timed observations, and lateral movement across shared resources, highlighting the need for vigilant security practices in both hardware and software environments.