Mar 15, 2024NewsroomHardware Security / Data Protection

A group of researchers has discovered a new data leakage attack impacting modern CPU architectures supporting speculative execution.

Dubbed GhostRace (CVE-2024-2193), it is a variation of the transient execution CPU vulnerability known as Spectre v1 (CVE-2017-5753). The approach combines speculative execution and race conditions.

“All the common synchronization primitives implemented using conditional branches can be microarchitecturally bypassed on speculative paths using a branch misprediction attack, turning all architecturally race-free critical regions into Speculative Race Conditions (SRCs), allowing attackers to leak information from the target,” the researchers said.

The findings from the Systems Security Research Group at IBM Research Europe and VUSec, the latter of which disclosed another side-channel attack called SLAM targeting modern processors in December 2023.

Spectre refers to a class of side-channel attacks that exploit branch prediction and speculative execution on modern CPUs to read privileged data in the memory, bypassing isolation protections between applications.

While speculative execution is a performance optimization technique used by most CPUs, Spectre attacks take advantage of the fact that erroneous predictions leave behind traces of memory accesses or computations in the processor’s caches.

“Spectre attacks induce a victim to speculatively perform operations that would not occur during strictly serialized in-order processing of the program’s instructions, and which leak victim’s confidential information via a covert channel to the adversary,” the researchers behind the Spectre attack noted in January 2018.

What makes GhostRace notable is that it enables an unauthenticated attacker to extract arbitrary data from the processor using race conditions to access the speculative executable code paths by leveraging what’s called a Speculative Concurrent Use-After-Free (SCUAF) attack.

A race condition is an undesirable situation that occurs when two or more processes attempt to access the same, shared resource without proper synchronization, thereby leading to inconsistent results and opening a window of opportunity for an attacker to perform malicious actions.

“In characteristics and exploitation strategy, an SRC vulnerability is similar to a classic race condition,” the CERT Coordination Center (CERT/CC) explained in an advisory.

“However, it is different in that the attacker exploits said race condition on a transiently executed path originating from a mis-speculated branch (similar to Spectre v1), targeting a racy code snippet or gadget that ultimately discloses information to the attacker.”

The net result is that it permits an attacker with access to CPU resources to access arbitrary sensitive data from host memory.

“Any software, e.g., operating system, hypervisor, etc., implementing synchronization primitives through conditional branches without any serializing instruction on that path and running on any microarchitecture (e.g., x86, ARM, RISC-V, etc.), which allows conditional branches to be speculatively executed, is vulnerable to SRCs,” VUSec said.

Following responsible disclosure, AMD said its existing guidance for Spectre “remains applicable to mitigate this vulnerability.” The maintainers of the Xen open-source hypervisor acknowledged that all versions are impacted, although they said it’s unlikely to pose a serious security threat.

“Out of caution, the Xen Security Team have provided hardening patches including the addition of a new LOCK_HARDEN mechanism on x86 similar to the existing BRANCH_HARDEN,” Xen said.

“LOCK_HARDEN is off by default, owing to the uncertainty of there being a vulnerability under Xen, and uncertainty over the performance impact. However, we expect more research to happen in this area, and feel it is prudent to have a mitigation in place.”

Feb 09, 2024NewsroomVulnerability / Zero Day

Ivanti has alerted customers of yet another high-severity security flaw in its Connect Secure, Policy Secure, and ZTA gateway devices that could allow attackers to bypass authentication.

The issue, tracked as CVE-2024-22024, is rated 8.3 out of 10 on the CVSS scoring system.

“An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication,” the company said in an advisory.

The company said it discovered the flaw during an internal review as part of its ongoing investigation into multiple security weaknesses in the products that have come to light since the start of the year, including CVE-2023-46805, CVE-2024-21887, CVE-2024-21888, and CVE-2024-21893.

CVE-2024-22024 affects the following versions of the products –

• Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, and 22.5R1.1)
• Ivanti Policy Secure (version 22.5R1.1)
• ZTA (version 22.6R1.3)

Patches for the bug are available in Connect Secure versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3, and 22.6R2.2; Policy Secure versions 9.1R17.3, 9.1R18.4, and 22.5R1.2; and ZTA versions 22.5R1.6, 22.6R1.5, and 22.6R1.7.

Ivanti said there is no evidence of active exploitation of the flaw, but with CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 coming under broad abuse, it’s imperative that users move quickly to apply the latest fixes.