Con el nombre de YAM (Yet Another Meltdown), esta nueva vulnerabilidad anula las protecciones del procesador y permite que aplicaciones en modo usuario sin privilegios roben del ordenador afectado la información procesada por la memoria en modo núcleo.
Impacto
La nueva vulnerabilidad encontrada por los investigadores de Bitdefender puede ser utilizada por los hackers para filtrar información privilegiada desde un área de la memoria considerada fuera de límites por las protecciones del hardware. Este fallo puede aprovecharse en ataques dirigidos que normalmente requerirían privilegios de todo el sistema o una profunda subversión del sistema operativo. Además, tiene un impacto extremadamente grande en los proveedores de servicios en la nube y en los entornos multi-tenant, ya que un usuario puede aprovechar esta brecha para leer datos que pertenecen a otros.
El código de la prueba de concepto compartido en privado con el fabricante ha sido analizado con éxito en las microarquitecturas Intel Ivy Bridge, Haswell, Skylake y Kaby Lake.
Solución
Dado que esta vulnerabilidad gira en torno a un fallo de diseño del hardware, los parches de microcódigo podrán solucionar parcialmente el problema. Actualmente, Bitdefender está trabajando, junto con otras compañías especializadas, en una solución implementada a nivel de hipervisor a través de tecnologías de seguridad como Bitdefender HVI.
Contexto
Los ataques de canal lateral basados en ejecuciones especulativas fueron noticia con la identificación de Meltdown y Specter a principios de 2018. Desde entonces, las variantes de ataques de canal lateral se han ido descubriendo esporádicamente y se han mitigado parcialmente a través de microcódigo y parches del sistema operativo.
Sin embargo, como esta es una brecha que surge de un problema de diseño de hardware, es imposible disponer de un remedio que solucione esta vulnerabilidad de forma completa.
Bogdan Botezatu, director de E-Threat Research & Reporting en Bitdefender, contesta a las principales preguntas sobre YAM:
Q: How the Yet-Another-Meltdown can be explained in layman’s terms?
A: There are some hardware restrictions inside any processor that segregate the information available to the user from informationavailable to the operating system. If this safeguard could be removed, an application executed under the current logged in user will be able to access various area available to the operating system only that are “off limits” for the user mode to keep the system properly functioning. Also, keeping the information available to operating system “hidden” is important from a security perspective, because this section is used to keep the “secrets”: passwords, encryption keys etc.
Our proof of concept demonstrates that with only six lines of code you can lift this safeguard and expose the informationavailable to the operating system. Basically, this vulnerability can effectively make the Intel processor to spill out the information available to operating system only.
The security impact is serious because of many reasons:
A non-authorized user can access information that doesn’t belong to them; for example, they can access anythingfrom wi-fi passwords, account passwords to encryption keys, private keys and so on.
This vulnerability can be exploited like any other “zero-day”. Basically, a high skilled attacker can use it to install a malware, most likely a backdoor-type and it will stay totally undetected. This is exactly the type of vulnerability and the operating mode that a state-sponsored attack will use for espionage purposes.
This is a hardware flaw that cannot be fixed other than by redesigning the processor (the silicon) or by just physically replacing the CPU with a new, non-vulnerable unit.
We might expect some “software” mitigation especially from the large vendors like cloud services providers and data centers operators because the “multi-tenant” environment specific to this instance is the most affected by this vulnerability. In the “multi-tenant” environment you have multiple users sharing the same physical resources to build and use multiple virtual machines for example. One of the users, with a local account in this data center or in this cloud service provider can be able to exfiltrate specific information by using this vulnerability. Problem is he can access and exfiltrate any information available on the physical machines, belonging to every user of the premises.
What happened to the victims of Meltdown can happen to those affected by this vulnerability
Q: How many computers are affected?
A: We cannot point to specific numbers but since our proof of concept works on Ivy Bridge, Haswell, Skylake and Kaby Lake CPUseries we can discuss about millions of computers here. Basically, any modern data center will be affected by this vulnerability
Q: Have you been in touch with Intel about this incident?
A: Yes, we discovered this vulnerability in August 2018 when our technical team in Cluj, Romania was working to expand the Bitdefender HVI technology. Intel told us they need several months to investigate and create a strategy to communicate it.
