Intel’s data center CPUs vulnerability could lead to “devastating” attacks

Bitdefender researchers have found a vulnerability within Intel’s data center CPUs that gives attackers the ability to inject rogue values in certain microarchitectural structures and steal information. Bogdan Botezatu, director of threat research and reporting at Bitdefender, said these attacks are “particularly devastating in multi-tenant environments such as enterprise workstations or servers in the datacenter, where one less-privileged tenant would be able to leak sensitive information from a more privileged user or from a different virtualized environment on top of the hypervisor.” 

According to Botezatu, Intel controls more than 90% of the server CPU market share and most of these CPUs, manufactured between 2011 and 2020, are vulnerable. Botezatu and Bitdefender notified Intel of the issue on Feb. 25 and the company has acknowledged there is a problem. Intel did not immediately respond to a request for comment. 

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

Vulnerabilities like this typically impact multi-tenant environments such as a public cloud or shared enterprise workload where a less privileged user would be able to exfiltrate information across security boundaries through the vulnerable processor. All public cloud vendors that run vulnerable Intel CPUs would be exposed to this type of attack, Botezatu said. 

Using this vulnerability, cybercriminals can steal data using a minimal amount of system privileges to sample information that normally would be secured by perimeters set up at the silicon or microcode level. 

In a blog post, Botezatu wrote that the kind of information that can be stolen includes everything from “operating system noise” data to encryption keys or passwords. Attackers could gain a sizable amount of control within compromised servers and gain access to whatever data is inside. 

Bitdefender said it has been examining side-channel attacks and the potential impact of vulnerabilities since the emergence of Spectre and Meltdown in 2018.

“Our team of dedicated vulnerability researchers discovered two other different similar vulnerabilities last year (the SWAPGS Attack and another MDS-class vulnerability). This research team keeps a close eye on modern CPUs as part of the ongoing research for HVI – Bitdefender’s security solution that runs at the hypervisor level,” Botezatu said in an interview.

“This type of attack cannot be mitigated, given the fact that it leverages a vulnerability in the processor design. Previous mitigations set in place for Spectre, Meltdown, and the MDS attacks are now ineffective against this new attack called LVI-LFB,” he added

Every time a new side-channel attack variation gets communicated and plugged, Botezatu said, new ones show up and defeat existing mitigations. “We believe that the only viable solution would be the architecture of the process to fix these flaws in hardware.”

In a blog post, Botezatu wrote that to completely mitigate the vulnerability, IT departments should either disable functionalities like hyper-threading or replace the hardware entirely.

Security teams should also make sure to have the latest CPU microcode patches and the latest OS updated. 

Botezatu added that the most urgent actions security teams need to take involve installing patches and integrating security programs that can give users more hypervisor-level visibility and context. Security teams should also do full audits of their critical systems to check for any signs that systems have been attacked.

“The potential for exploitation is large, but up until now we do not have any evidence that it has actually been exploited in the wild. 

“However, given the nature of the attack, a security solution or any other alerting mechanism would be unable to detect or block this type of attack. This is why such attacks are more suitable for government or commercial, high profile threat actors than for regular cyber criminals,” Botezatu said, adding that these kinds of attacks are particularly difficult to deal with. 

“It would be impossible to identify any exploitation in the wild. This attack does not leave any forensic trace on the affected system, nor can it be identified or blocked by existing security solutions.”

Also see