Not long after the first release of Meltdown and Spectre vulnerabilities, Google and Microsoft researchers independently reported two other variants of the modern processors bugs: a new subclass of speculative execution side channel vulnerabilities known as Speculative Store Bypass (SSB, previously known as SpectreNG – variant 4) has been assigned CVE-2018-3639; another Meltdown variation, rogue system register read (also called variant 3a) has been assigned CVE-2018-3640.
Among affected processors we find a wide range of chipsets: Intel and AMD x86, IBM POWER 8 and 9, and ARM CPUs.
Catalin Cimpanu wrote for Bleeping Computer:
Variant 3a is a variation of the Meltdown flaw, while Variant 4 is a new Spectre-like attack. The most important of these two is Variant 4. Both bugs occur for the same reason – speculative execution – a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data.
The difference is that Variant 4 affects a different part of the speculative execution process —the data inside the “store buffer” inside a CPU’s cache.
Industry response on Speculative Store Bypass – SpectreNG
Major vendors already released their advisories:
- Microsoft Guidance for Speculative Store Bypass ADV180012
- Intel Q2 2018 Speculative Execution Side Channel Update INTEL-SA-00115
- Google Project Zero – issue 1528 – including proof-of-concept code!!!
- AMD – “Speculative Store Bypass” Vulnerability Mitigations for AMD Platforms
- ARM – Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism
- IBM – Potential Impact on Processors in the POWER Family
- Red Hat
- Ubuntu – Speculative Store Bypass (CVE-2018-3639 aka GPZ Variant 4)
- Lenovo – Speculative Execution Side Channel Variants 4 and 3a
- Citrix XenServer Security Update for CVE-2018-3639
- NetApp – Speculative Execution Side Channel Vulnerabilities in NetApp Products
- Synology-SA-18:23 Speculative Store Bypass
- Cisco – CPU Side-Channel Information Disclosure Vulnerabilities: May 2018
Most leading browser providers have recently deployed mitigations in their Managed Runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a modern web browser. These techniques would likewise increase the difficulty of exploiting a side channel in a browser based on SSB.
Intel has released Beta microcode updates to operating system vendors, equipment manufacturers, and other ecosystem partners adding support for Speculative Store Bypass Disable (SSBD). SSBD provides additional protection by providing a means for system software to completely inhibit a Speculative Store Bypass from occurring if desired[…] Most major operating system and hypervisors will add support for Speculative Store Bypass Disable (SSBD) starting as early as May 21, 2018.
The microcode updates will also address Rogue System Register Read (RSRR) – CVE-2018-3640 by ensuring that RDMSR instructions will not speculatively return data under certain conditions[…] No operating system or hypervisor changes are required to support the RDMSR change.
VMware response to Speculative Store Bypass – SpectreNG
VMware released a new security advisory: VMSA-2018-0012 – VMware vSphere, Workstation and Fusion updates enable Hypervisor-Assisted Guest Mitigations for Speculative Store Bypass issue.
VMware also released knowledge based articles 54951 and 55111 with details and mitigation advice for both CVE vulnerabilities. A third KB (55210) discusses the performance impacts of these vulnerabilities.
As per VMware advisory:
vCenter Server, ESXi, Workstation, and Fusion update speculative execution control mechanism for Virtual Machines (VMs). As a result, a patched Guest Operating System (GOS) can remediate the Speculative Store bypass issue (CVE-2018-3639) using the Speculative-Store-Bypass-Disable (SSBD) control bit. This issue may allow for information disclosure in applications and/or execution runtimes which rely on managed code security mechanisms. Based on current evaluations, we do not believe that CVE-2018-3639 could allow for VM to VM or Hypervisor to VM Information disclosure.
Stay tuned for patches from your favorite vendors! More updates to follow!