Spectre and Meltdown vulnerabilities were more than enough to drive the security world crazy. Those were pretty intense flaws discovered to date. The bugs were present in our everyday processors and microchips for decades. Now, manufacturers are working on fixing the problem. OS vendors are already patching their systems for mitigating the security hole. However, a new variant of Spectre has appeared again. Seems like the ghost of Spectre isn’t going to leave us after all!
The new variant
Recently, security researchers from Eclypsium have detailed a new Spectre variant that is able to steal data from the strongly protected SMM (System Management Mode) CPU area. For those who didn’t know about SMM, it’s such an area in the modern processors that not even high-privileged programs like hypervisors or kernels can access or interrupt there.
The new vulnerability scope
Every time the code is sent to the SMM, the processor suspends the entire operating system. Then, it uses a part of the BIOS/UEFI firmware for executing different commands with very high elevated privilege. This leads to the codes having unlimited access to all the system hardware and data.
SMM is strongly protected and not allowed for easy access because it’s deeply connected with all the hardware and computer parts. It’s responsible for keeping the hardware alive and keep everything going smoothly.
Unfortunately, this system is really old, dating back to the early ‘90s. We didn’t get any type of improvements or additional protection for the system so far. On Intel CPUs, the SMM access is hardened with SMRR (System Management Range Register).
The Spectre for SMM memory
Security researchers from the Eclypsium team used the proof-of-concept codes of the Spectre variant 1 (CVE-2017-5753) and modified it for including the ability to bypass the SMRR protection mechanism. Thus, it allows access to the SMRAM (System Management RAM). Here, SMM stores all the important information and runs its working data.
According to the Eclypsium team, this enhanced Spectre variant will allow an underprivileged crook to read system memory including the parts that range registers protect, like SMM memory.
The bad part is, this attack was able to provide all the detailed data from the SMRAM and SMM. The research team at Eclypsium also believes that this can lead to revealing other types of information stored in the physical memory.
Original Spectre patches enough to protect users
The researchers succeeded in working around the Spectre variant 1, but they also confirmed that Spectre variant 2 can also provide the same result.
Intel was notified about the vulnerability in March. According to Intel, their patch for the Spectre variant 1 and 2 should be enough to protect users from these threats.
For experts and enthusiasts, feel free to explore and learn in-depth about the vulnerability. There are also other Spectre variants like SgxSpectre. Learn more about SgxSpectre.