SWAPGS (security vulnerability)
SWAPGS, also known as Spectre variant 1, is a computer security vulnerability that utilizes the branch prediction used in modern microprocessors.[1][2][3] Most processors use a form of speculative execution, this feature allows the processors to make educated guesses about the instructions that will most likely need to be executed in the near future. This speculation can leave traces in the cache, which attackers use to extract data using a timing attack, similar to side-channel exploitation of Spectre.[4]
The Common Vulnerabilities and Exposures ID issued to this vulnerability is CVE-2019-1125.[5]
History
editSWAPGS is closely related to the Spectre-V1 vulnerability, which used similar side-channel vulnerabilities to access privileged cache memory in an operating system. The vulnerability was discovered by Andrei Vlad Lutas of Bitdefender and was reported to Intel. Intel coordinated with industry partners to address the issue on a software level.[6] The first patches for SWAPGS were released on 9 July 2019 as part of the Microsoft Patch Tuesday. However, details regarding the vulnerability were not disclosed until 6 August 2019.[7]
SWAPGS itself is an instruction to swap the GSBase register with a value stored in MSR. This is typically used to store kernel data.
Affected systems
editAny Intel-based processor that support SWAPGS and WRGSBASE instructions is affected. This includes every Intel processor starting from the Intel Ivy Bridge CPUs up to the most recent Intel processors.
Devices equipped with AMD processors are not affected, according to the company's product security update.[8]
AMD is aware of new research claiming new speculative execution attacks that may allow access to privileged kernel data. Based on external and internal analysis, AMD believes it is not vulnerable to the SWAPGS variant attacks because AMD products are designed not to speculate on the new GS value following a speculative SWAPGS. For the attack that is not a SWAPGS variant, the mitigation is to implement our existing recommendations for Spectre variant 1.
Mitigation
editFor Windows operating system-based devices, Microsoft's security advisory lists the patches released in July 2019, which fix the vulnerability.[9]
For Linux distributions, it is advised to check whether there are SWAPGS-specific patches that need to be applied. The kernel documentation describes the nature of the attacks and the in-kernel mitigations.[10]
Bitdefender mentions in its original report that Apple devices are unlikely to be at risk.[11]
See also
edit- Foreshadow (security vulnerability)
- Microarchitectural Data Sampling − another set of vulnerabilities, including ZombieLoad, that can leak data in Intel microprocessors
- Rogue System Register Read (RSRR[12]) – a related vulnerability, also known as Variant 3a
- Transient execution CPU vulnerabilities
References
edit- ^ "SWAPGS Spectre Side-Channel Vulnerability: CISA". www.us-cert.gov. United States: United States Computer Emergency Readiness Team. 6 August 2019. Retrieved 2019-09-20.
- ^ "SWAPGS Attack". bitdefender.com. Bitdefender. 6 August 2019.
- ^ "SWAPGS speculative execution and speculative only segment loads CPU vulnerabilities /Support /SUSE". www.suse.com. SUSE Linux. Retrieved 2019-09-20.
- ^ "More information on SWAPGS and Speculative only Segment Loads". Intel.com. Intel. 6 August 2019.
- ^ "CVE-2019-1125". cve.mitre.org. United States: Mitre Corporation. Retrieved 2019-09-20.
- ^ "SWAPGS Vulnerability in Modern CPUs Fixed in Windows, Linux, ChromeOS". bleepingcomputer.com. Bleeping Computer. 6 August 2019.
- ^ "Windows Kernel Information Disclosure Vulnerability". portal.msrc.microsoft.com. Microsoft. 6 August 2019.
- ^ "Product Security". amd.com. AMD. 6 August 2019.
- ^ "CVE-2019-1125: Windows Kernel Information Disclosure Vulnerability". portal.msrc.microsoft.com. Retrieved 2019-12-04.
- ^ "Spectre Side Channels". The Linux Kernel documentation.
- ^ "Bitdefender SWAPGS FAQ". bitdefender.com. 6 August 2019.
- ^ Sometimes misspelled as "RSRE"