# New vulnerabilities incoming - Spectre-NG



## ikeke (May 3, 2018)

https://www.heise.de/ct/artikel/Exc...U-flaws-revealed-several-serious-4040648.html

*



			Eight new security flaws
		
Click to expand...

*


> Each of the eight vulnerabilities has its own number in the Common Vulnerability Enumerator (CVE) directory and each requires its own patches. It is likely that each vulnerability will receive its own name. Until then, we will jointly call these flaws Spectre-NG in order to distinguish them from the previously uncovered issues.
> 
> So far we only have concrete information on Intel's processors and their plans for patches. However, there is initial evidence that at least some ARM CPUs are also vulnerable. Further research is already underway on whether the closely related AMD processor architecture is also susceptible to the individual Spectre-NG gaps, and to what extent.
> 
> Intel is already working on its own patches for Spectre-NG and developing others in cooperation with the operating system manufacturers. According to our information, Intel is planning two waves of patches. The first is scheduled to start in May; a second is currently planned for August.





> One of the Spectre-NG flaws simplifies attacks across system boundaries to such an extent that we estimate the threat potential to be significantly higher than with Spectre. Specifically, an attacker could launch exploit code in a virtual machine (VM) and attack the host system from there – the server of a cloud hoster, for example. Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap. Intel's Software Guard Extensions (SGX), which are designed to protect sensitive data on cloud servers, are also not Spectre-safe.



At least one looks really bad, showstopper for cloud services once exploited. The CVE's will be published on 5th May by current information.


----------



## DeathtoGnomes (May 3, 2018)

amazing. Wonder what they will find in the new AMD chips.


----------



## hat (May 3, 2018)

I'm guessing these hardware vulnerabilities are gonna be a never ending thing?


----------



## DeathtoGnomes (May 3, 2018)

hat said:


> I'm guessing these hardware vulnerabilities are gonna be a never ending thing?


there will always be some sort of vulnerability to squawk about.


----------



## FordGT90Concept (May 3, 2018)

I think the VM paradigm needs to shift to one physical core per virtual machine.  Software VMs need to die.  It will create more demand for lighter, manycore processors too.


----------



## hat (May 3, 2018)

FordGT90Concept said:


> I think the VM paradigm needs to shift to one physical core per virtual machine.  Software VMs need to die.  It will create more demand for lighter, manycore processors too.


Then what happens when you need multi core performance in your VM?


----------



## erocker (May 3, 2018)

Maybe it's time more businesses used closed networks. These "flaws" won't stop.


----------



## John Naylor (May 3, 2018)

I'm still waiting for a "OMG look what happened to this guy " story on any one of these vulnerbailities.


----------



## Hood (May 4, 2018)

This news caused me to check the Asus website for a patched BIOS (for the 50th time!), and finally, there is a new BIOS posted for my Z97 Deluxe board (3503 beta).  So I took a chance and flashed it - ran the Inspectre utility, and it now shows that my system is secure against both meltdown and Spectre, with good performance.  I heard they haven't got around to the Z87 boards yet, but if you have Z97 Asus board, there should be one your model now.  Now I'm going to benchmark this system to see if it lost any speed.


 
Am I still vulnerable these new variations?  I guess we'll have to wait for the new version of Inspectre to find out!  But I feel safer, somehow.


----------



## FordGT90Concept (May 4, 2018)

hat said:


> Then what happens when you need multi core performance in your VM?


No reason why you can't bridge a VM across multiple cores but multiple VMs should not have access to a single core.  They need hardware isolation.


----------



## Solaris17 (May 4, 2018)

ikeke said:


> https://www.heise.de/ct/artikel/Exc...U-flaws-revealed-several-serious-4040648.html
> At least one looks really bad, showstopper for cloud services once exploited. The CVE's will be published on 5th May by current information.



ugh kill me please. this is so blown out of proportion its insane.



> Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap.



Security is important
hardware flaws will always exist

the issue with flaws like this is you can say your CC number is also ACUTELY endangered. Your your address, or your favorite color. or really any word, verb thought or text that fits within the confines of the bits that are leaked. if you are activly scanning the pipeline you wanna know what you are really going to see?


SDFJASDFJ@(#$%@$#%R<DSFA)#R #@$T_)DSPA#_%RMF<ERHGFDGQAW)SEDKRR$54f548w4er513rf81dwe8f  w43r4325rwqedrfw3e4rqw


99.9999999% of the time.  Even if you managed to see P@ssw0rd come out of the buffer on a random system you happened to be targeting KNOWING what VM you were seeing is pretty much impossible. Second even if you did see ANYTHING you wouldnt even know it was in the context of a password. You would or maybe not see a dictionary term with some numbers at the end. and even if through MAGIC you somehow KNEW that was a password (and any of the random characters I just types could be) you still wouldn't even know WHAT it went too. C.O.O facebook account? Stans POS system login? some random string saved to a text document? Is it actually password attempts being brute forced by kain and able from another entity? You wouldnt even know.

Its a few bytes of text the processor holds in its pipeline being exposed to someone that had ADMINISTRATIVE access to the unit as is. It doesnt give you info in a humanly digestible format like


Facebook Login
Top Secret C-Level
Bill Gates
1 Microsoft Way, London
13:03 UTC

USN:billygates
PASS:101scubz
IP:9.9.9.9


the media in IT is starting to get closely related to main stream media on TV and it enrages me. Not giving the TECHNICAL details to TECHNICALLY minded people is a terrible approach. Why? because it does 2 of 2 things.

Creates mass histeria to the people that know enough to get in trouble

Makes people like grandma feel safe because it was "patched"


----------



## moproblems99 (May 4, 2018)

Meh, if someone wants your stuff, they are going to get it.  All we can do is make em work for it.



Solaris17 said:


> to someone that had ADMINISTRATIVE access



I don't understand why people use this argument.  If only something like...I dunno.....privilege escalation exploits exist......


----------



## Solaris17 (May 4, 2018)

moproblems99 said:


> Meh, if someone wants your stuff, they are going to get it.  All we can do is make em work for it.
> 
> 
> 
> I don't understand why people use this argument.  If only something like...I dunno.....privilege escalation exploits exist......



Argument? Only One of many points many of which your “privilege escalations” uses you know..... to escalate them to the privilege of......Administrator... of course even then your only half trying to mock(?) me. After all of your server and OS is already open and venlerable to PE and is so easily exploited you don’t need hardware level exploitation anyway. 

After all low hanging fruit is key.


----------



## moproblems99 (May 4, 2018)

Not trying to insult you, although I certainly see how it came off like that, my apologies.  My point is that Administrator access is not particularly hard to get.


----------



## Solaris17 (May 4, 2018)

moproblems99 said:


> Not trying to insult you, although I certainly see how it came off like that, my apologies.  My point is that Administrator access is not particularly hard to get.



very much true. The problem is certainly deep. for example ford had a good idea. Why not isolate these machines physically? the only problem with this is *thats not how scheduling works with virtual machines *most other hyper visors are like that as well vmware oracle etc. regardless of OS it gets even more fun since there is OS task(kernel) scheduling and hardware (physical) scheduling. None are controllable via any software means.


----------



## eidairaman1 (May 4, 2018)

Solaris17 said:


> ugh kill me please. this is so blown out of proportion its insane.
> 
> 
> 
> ...



Feels like a knee jerk reaction.


----------



## ikeke (May 4, 2018)

This issue has nothing to do with administrative access. Nothing to do with number of cores allocated to VM. Nothing to do with physical security.

VMs are, for applications running in them, treated as separate physical machines. These flaws allow to break these barriers.

There is no security procedure/layer on your instance that can circumvent flaw in HW logic that allows anyone with VM level access (which, if you have ever spun up a cloud instance on Amazon/Azure/Google/etc costs cents to few dollars) to the cloud service to compromize your instance.

It's nice to talk about "having a physical machine to do the thing you need to be done" but it is not cost effective and we've been moving towards virtualization since end of 90s. Without it most of the services as they are used by consumers every day wont be cost effective, ergo wont exist.


----------



## phill (May 4, 2018)

Brilliant something else we will not stop hearing about this now...


----------



## R-T-B (May 9, 2018)

phill said:


> Brilliant something else we will not stop hearing about this now...



Crickets is all I hear...


----------



## jboydgolfer (May 9, 2018)

*i got a security based update on win10 today...i was kind of surprised, as i just got the april update a few days back. *


----------



## eidairaman1 (May 9, 2018)

jboydgolfer said:


> *i got a security based update on win10 today...i was kind of surprised, as i just got the april update a few days back. *



Kill it with fire man, kill it with fire!


----------



## R-T-B (May 9, 2018)

eidairaman1 said:


> Kill it with fire man, kill it with fire!



Yeah, because the initial release is so bug free you should never try to patch it.


----------



## eidairaman1 (May 9, 2018)

R-T-B said:


> Yeah, because the initial release is so bug free you should never try to patch it.



Glad you could see the humor


----------



## Easo (May 9, 2018)

So... news delayed, except that Intel reportedly has asked for nondisclosure extension to prepare patches.
Urgh...
P.S.
You got the monthly cumulative update on Patch Tuesday.
Has nothing to do with April 2018 Update (1803) being released so late.


----------



## jboydgolfer (May 9, 2018)

eidairaman1 said:


> Kill it with fire man, kill it with fire!



Eh, it seems fine.


----------



## eidairaman1 (May 9, 2018)

jboydgolfer said:


> Eh, it seems fine.



Was tryin to be humorous


----------



## erpguy53 (May 26, 2018)

Hood said:


> This news caused me to check the Asus website for a patched BIOS (for the 50th time!), and finally, there is a new BIOS posted for my Z97 Deluxe board (3503 beta).  So I took a chance and flashed it - ran the Inspectre utility, and it now shows that my system is secure against both meltdown and Spectre, with good performance.  I heard they haven't got around to the Z87 boards yet, but if you have Z97 Asus board, there should be one your model now.  Now I'm going to benchmark this system to see if it lost any speed.View attachment 100543
> Am I still vulnerable these new variations?  I guess we'll have to wait for the new version of Inspectre to find out!  But I feel safer, somehow.



though you are using an outdated version of the InSpectre tool.  the current release of Inspectre is release 8, which also checks if a microcode update is available and identifies a processor's cpuid.


----------



## Hood (May 27, 2018)

erpguy53 said:


> though you are using an outdated version of the InSpectre tool. the current release of Inspectre is release 8, which also checks if a microcode update is available and identifies a processor's cpuid.


Yeah, I realized that, right after I posted that screenshot.  Now I have version 8, and waiting for version 9, to cover the new Spectre variants.


----------



## FireFox (May 27, 2018)

I still have the 1709 should i install the 1803 and is there any update i should avoid/skip, i do keep Windows update disable, i have never been a fan of Windows installing updates automatically.


----------



## EsaT (May 27, 2018)

R-T-B said:


> Crickets is all I hear...


Lucky you.
I've got here insane mosquito invasion...

And only way to keep them outside would be completely airtight house without doors or anything.
Which is about as possible as hardware without some flaws/vulnerabilities.


----------

