The Reptar vulnerability can be used to escalate privileges, gain access to sensitive information, and cause denial of service. However, at least its fixing does not require intervention at the hardware level, as was in the case of an LVI attack.

Reptar Vulnerability in Intel CPUs Allow for Privileges Escalation

The vulnerability, discovered by Intel engineers themselves, has received the identifier CVE-2023-23583 and is described as an “REX prefix issue”.

Initially, it was believed that the error could be used only to provoke a denial of service. The vulnerability received only a CVSS score of 5.5. Intel initially planned to release a patch for it in March 2024.

However, deeper analysis showed that there was a way to exploit the bug to escalate privileges. And Intel moved the release date of the patch to November 2023. As a result, the vulnerability rating was changed to 8.8 points on the CVSS scale.

Intel does not expect any non-malware software to encounter this problem in the real world. It is expected that redundant REX prefixes will not be present in the code and will not be generated by compilers.

Malicious exploitation of the Reptar issue requires the execution of arbitrary code. Also, as a part of an internal review Intel identified the possibility of privilege escalation in certain scenarios.

Systems with affected processors, including Alder Lake, Raptor Lake and Sapphire Rapids, have already received updated firmware, and these patches do not impact performance.

Other Threats to Intel Processors

The history of Windows processor problems is quite rich. We also wrote about the Snoop attack, which can stop processors. And about the Platypus attack, which could be used by attackers to steal data. And also about problems with Active Management Technology (AMT) and Intel Standard Manageability (ISM).

However, earlier this year the media also wrote about one of the most serious errors in the history of Intel processors. It was CVE-2021-39296 issue (10 out of 10 on the CVSS scale). This vulnerability affected the integrated BMC (Baseboard Management Controller) and OpenBMC firmware on several of the company’s platforms. The issue CVE-2021-39296, as its ID shows, was discovered back in 2021, but was fixed only two years later.

Are processor vulnerabilities that dangerous?

Problems with processors are usually perceived as painful due to the fact that they are everywhere. They are the basis of almost any electronic device. And an exploitable vulnerability in Intel or AMD products can make millions of users around the world dependent on the actions of attackers.

A complete list of Intel processors affected by the CVE-2023-23583 vulnerability, as well as recommendations for resolving it, are available here.

The post Reptar Vulnerability Threatens Intel Processors appeared first on Gridinsoft Blog.

One of the first to notice the change was Elisey Boguslavsky of Advanced Intel, who tweeted that the group’s internal infrastructure had been shut down. According to him, other internal services of the group, such as chat servers, are also being decommissioned.

Let me remind you that we wrote that Leaked Conti ransomware source codes were used to attack Russian authorities, as well as that Experts analyzed the conversations of Conti and Hive ransomware groups.

The publication Bleeping Computer writes that at the same time, the public site for leaks “Conti News”, as well as the site for negotiating ransoms, are still available, but Boguslavsky explained to reporters that the Tor administrative panels used by hackers to negotiate and publish news on the site are already disabled.

Although Conti recently carried out a high-profile attack on Costa Rica, Boguslavsky believes it was done as a distraction while Conti members slowly migrated to other, smaller extortion groups.

Conti threatens the government of Costa Rica

Although the Conti brand no longer exists, experts are confident that this crime syndicate will play an important role in the extortion industry for a long time to come. So, Boguslavsky believes that instead of the traditional rebranding for hack groups (and the subsequent transformation into a new grouping), Conti’s leadership is collaborating with other smaller ransomware groups to carry out attacks.

As part of this “partnership”, small hack groups receive an influx of experienced pentesters, negotiators and operators from among Conti members. And the Conti syndicate, dividing into smaller “cells” controlled by a single leadership, gets mobility and the ability to evade the attention of law enforcement agencies.

According to the researchers, in this way Conti cooperates with groups HelloKitty, AvosLocker, Hive, BlackCat, BlackByte and so on. Also, Advanced Intel believes that members of Conti have created a number of new and autonomous groups that are completely focused on stealing data, not encrypting it. These groups include Karakurt, BlackByte and Bazarcall.

The post The Conti Ransomware Ceases Operations and Breaks Up into Several Groups appeared first on Gridinsoft Blog.

Let me remind you that with the release of the Skylake architecture, Intel introduced a technology called SGX (Software Guard Extensions).

SGX is a set of CPU instructions through which applications can create protected zones (enclaves) in the application’s address space, within which various confidential data can be stored under reliable protection.

SGX enclaves are usually isolated at the hardware level (SGX memory is separated from the rest of the CPU memory) and at the software level (SGX data is encrypted). The developers themselves describe this technology as a kind of “inverse sandbox”.

A year ago, several members of the University of Birmingham research team participated in the development of a similar attack, Plundervolt (CVE-2019-11157).

In fact, a year ago, researchers proved that by adjusting the voltage and frequency of the processor, they can change the bits inside the SGX, which will lead to errors that can be used later after the data has left the safe enclave. As a result, the Plundervolt attack could be used to recover encryption keys or introduce bugs into previously trusted software.

Following the disclosure of Plundervolt in December 2019, Intel has addressed the vulnerability by disabling the ability to reduce CPU voltage through microcode and BIOS updates.

Now the researchers say that they managed to implement a very similar hardware attack on SGX, while spending only $ 36 on hacking equipment. Scientists plan to hold a detailed presentation of VoltPillager next year, at the Usenix Security 2021 conference, and so far they have published a scientific report on their research.

VoltPillager works even on systems that have received the CVE-2019-11157 vulnerability patch. The essence of the attack is to inject messages into the Serial Voltage Identification (SVID) bus, between the CPU and the voltage regulator, in order to control the voltage in the CPU core.

Fortunately, VoltPillager is not a remote attack. To implement it, you need physical access to the server, opening the case and connecting special equipment. However, the researchers explain that the point of SGX is precisely to protect confidential data, including data from unscrupulous administrators. For example, if the servers are located in someone else’s data center or cloud provider, and local personnel can gain physical access to the machine, compromise the Intel processor and its SGX protection.

The team’s report states that as a defense against VoltPillager, user can apply cryptographic authentication for SVIDs or use CPU monitoring of malicious packets for SVIDs. However, the researchers believe that none of these methods will give good results, and only hardware changes can significantly change the situation.

However, it seems that Intel representatives are not too worried about the reports of scientists, and patches should not be expected. Thus, the researchers warned Intel about their discovery back in March this year, but the company replied that “opening the case and tampering with internal hardware to compromise SGX is not part of the SGX risk model. The patches for vulnerability CVE-2019-11157 (Plundervolt) are not designed to protect against hardware attacks.”

Intel representatives gave a similar comment this week to The Register:

Let me also remind you that Intel processors need hardware fixes due to new LVI attack.

The post VoltPillager attack compromises Intel SGX appeared first on Gridinsoft Blog.

The name is an acronym derived from Power Leakage Attacks: Targeting Your Protected User Secrets.

The Platypus attack and related issues are tracked as CVE-2020-8694 (Linux + Intel), CVE-2020-8695 (Intel), and CVE-2020-12912 (Linux + AMD). It should also be noted that the study was conducted as part of a project that was partially funded by Intel.

The attack relies on the Running Average Power Limit (RAPL) interface of Intel processors, that is, it uses a component that allows firmware and applications to control CPU and DRAM power consumption.

Platypus enables discovering what data is being processed internally by the CPU by looking at RAPL values and at encryption keys, passwords, confidential documents, and other data. Typically, access to such information is protected by a variety of security systems, including KASLR (kernel address space randomization) and hardware-isolated environments such as Intel SGX. But Platypus allows bypassing the defense mechanisms, simply by observing the changes in energy consumption.

In the course of tests carried out by the researchers, it was found that in 20 seconds it was possible to bypass the KASLR by observing the power consumption in RAPL, and then get the data from the Linux kernel.

In another test, it was possible to obtain data that was processed in the protected enclaves of Intel SGX. The Platypus attack was extracting RSA private keys from the SGX enclave, which required tracking RAPL data for 100 minutes. In turn, it takes between 26 and 277 hours to extract AES-NI encryption keys from the SGX enclave and from the Linux kernel memory space.

While attacks are possible on Windows and macOS devices, in these cases, the Intel Power Gadget must be installed on the target machines in order for the attackers to interact with the RAPL interface.

However, Platypus attacks targeting Intel SGX enclaves work independently from the OS.

The worst news is that the Platypus attack can be carried out remotely. The attacker does not need physical access to the target machine; instead, the malicious code can be hidden inside the application, which will only have to be somehow installed on the victim’s machine.

Platypus works against Intel desktop and server processors, according to scientists. In addition, Intel engineers said the attack also affects some mobile and embedded processors.

A list of Intel processors that are vulnerable to the Platypus attack can be found here.

Intel has already prepared updated versions of the microcode that block Platypus attacks, and the company has already distributed them to manufacturers, who will soon include patches in updates for their products. The Linux kernel was also updated.

Moreover, most of the processors that Platypus endangers are the latest models supported by both Intel and device manufacturers. That is, updates will obviously arrive soon.

Of course, the Platypus authors did not have the opportunity to test all devices available on the market for vulnerabilities. However, other manufacturers use the RAPL interface in their products, so the researchers believe that they may be at risk too.

So, one of the specialists told ZDNet reporters that the research group had conducted a number of experiments on AMD processors, and also observed data leakage through power consumption. The same problem can affect ARM-based devices, and other manufacturers, including Nvidia, Marvell and Ampere, use solutions very similar to RAPL in their products.

Let me remind you that I also talked about the SGAxe attack that endangers Intel processors and the fact that Snoop attack steals data from Intel processors.

The post Platypus attack allows stealing data from Intel processors appeared first on Gridinsoft Blog.

The bugs are collectively known as BleedingTooth and are associated with the BlueZ stack, which is widely used in Linux distributions, as well as consumer and industrial IoT devices (with Linux 2.4.6 and higher).

“This issue allows attackers to freely execute arbitrary code within Bluetooth range, while Intel attributed this flaw to privilege escalation and information disclosure”, – say Google experts.

Google engineer Andy Nguyen discovered this collection of BleedingTooth vulnerabilities. The vulnerabilities were identified as CVE-2020-12351, CVE-2020-12352 and CVE-2020-24490, and appeared in the code back in 2012, 2016 and 2018.

The most serious bug in this suite is CVE-2020-12351, which is a type confusion vulnerability that affects Linux 4.8 and above kernels.

The bug has a high severity rating (8.3 points on the CVSS vulnerability rating scale) and can be exploited by an attacker if he is within Bluetooth range and knows the bd address of the target device.

To exploit the bug, an attacker must send a malicious l2cap packet to the victim, which can lead to denial of service (DoS) or arbitrary code execution with kernel privileges. Nguyen stresses that exploiting the problem does not require any user interaction.

The proof-of-concept exploit for CVE-2020-12351 has already been published on GitHub, and a demonstration of the attack in action can be seen in the video below.

The second issue, CVE-2020-12352, is an information leak and affects the Linux 3.6 and higher kernels. This error was assigned a medium severity category (5.3 on the CVSS).

“Knowing the bd-address of the victim, a remote attacker at a short distance can obtain information about the kernel stack containing various pointers that can be used to predict the memory structure and bypass KASLR. The leak may contain other valuable data, including encryption keys”, – explain the researchers at Google.

The third vulnerability, CVE-2020-24490 (5.3 score of CVSS), is a heap buffer overflow that affects Linux kernel version 4.19 and above. In this case, a remote attacker within a short distance of a vulnerable device can also achieve denial of service and even execute arbitrary code with kernel privileges.

Google researchers note that only devices equipped with Bluetooth 5 chips and which are in scan mode are affected, but attackers can use malicious chips for attacks.

In turn, specialists from Intel, which is one of the main participants in the BlueZ project, write that the BlueZ developers have already announced patches for all three discovered problems. Experts now recommend asap upgrading Linux kernel to version 5.9, which was released over the weekend.

Let me remind you that recently I talked about the IPStorm botnet, which, among other things, actively attacks Linux devices.

The post Google and Intel experts warn of dangerous Bluetooth bugs in Linux appeared first on Gridinsoft Blog.

The AMT and ISM bug was one of the most serious issues the company has addressed this month. The vulnerability is tracked as CVE-2020-8758 and scored 9.8 out of 10 on the CVSS vulnerability rating scale.

If exploited, the issue results in privilege escalation by an unauthenticated attacker. The bug occurs due to incorrect buffer limits in the network subsystem. All versions of Intel AMT and Intel ISM up to 11.8.79, 11.12.79, 11.22.79, 12.0.68 and 14.0.39 are vulnerable to attacks.

“If a customer is using Intel vPro without AMT support, an authenticated user with local access to the system may still be able to escalate privileges”, — warn Intel experts.

However, in addition to patches to fix the bug in AMT and ISM, the company also released fixes for its other products this month. For example, have been fixed the CVE-2020-0570 vulnerability in the BIOS firmware for Intel Core 8, 9 and 10th generation processors. The bug scored 7.6 on the CVSS scale and could lead to escalation of privileges, denial of service, or information disclosure, if the attacker had physical access to the vulnerable system.

In the BIOS firmware for the 8th generation Intel Core and Intel Pentium Silver, we fixed the medium severity bug CVE-2020-0571, which also allowed information disclosure.

Also, fixes were released for three other medium severity bugs that affected the 8th, 9th and 10th generation Intel Core and Celeron 4000/5000/. The vulnerabilities could lead to elevation of privilege or denial of service (CVE-2020-8672 and CVE-2019-14557) and information disclosure (CVE-2020-8671).

In addition, Intel fixed the CVE-2020-12302 bug in the Intel Driver & Support Assistant that could lead to local privilege escalation. Version 20.7.26.7 or later fixes the issue.

Let me remind you about the fact that Intel processors need hardware fixes due to new LVI attack and also about the SGAxe attack, that endangers Intel processors.

The post Intel engineers fixed critical bug in AMT and ISM appeared first on Gridinsoft Blog.

Till Kottmann collects accidentally dumped data from large technological companies, information from which leaks through misconfigured repositories, cloud servers and online portals.

However, Kottman faced a different kind of leak this week.

An anonymous hacker, who claims to have hacked Intel earlier this year, uploaded Mega and sent Kottman a 20GB dump containing the company’s source code and internal documents (including those marked “confidential” or “secret, not for disclosure”). The attacker assured that this is only the first part of the stolen data. Currently, the dump can be easily found on torrent trackers, file sharing and so on.

“Interestingly, among the source codes, associated with Intel Purely Refresh for Xeon processors, were found comments, containing the word ‘backdoor’, and some encrypted archives from the dump were protected by simple passwords such as ‘Intel123’ and ‘Intel123′”, — says Till Kottmann.

Although I have talked about attacks on Intel processors before, but this is the first time I’ve heard about leaks in the company.

ZDNet journalists report that they showed the dump to experts, which specialize in Intel processors, and they considered the information reliable (although they wished to remain anonymous due to the ethical side of the issue).

According to the publication’s own analysis, the leak contains Intel’s intellectual property, including one that is related to the design and construction of various chipsets.

“The files contain technical specifications, product guides, and manuals for processors dated 2016”, – according ZDNet journalists.

Most of the documents and sources are related to the Kaby Lake platform and the upcoming Tiger Lake, although a small number of documents refer to other products, including those developed by Intel for SpaceX.

It seems that the dump does not contain confidential data about customers or Intel employees, but it is not known yet, to what other information the unknown hacker could have gained access.

Till Kottman writes that the dump includes:

• Intel ME Bringup guides + (flash) tools + samples for various platforms;
• Kabylake (Purley Platform) BIOS Reference Code and Sample Code + initialization code (some exported from git repos with full history);
• Intel CEFDK (Consumer Electronics Firmware Development Kit) sources
• Silicon / FSP source codes for various platforms;
• various tools for development and debugging;
• Simics Simulation for Rocket Lake S and possibly other platforms;
• various road maps and other documentation;
• Camera driver binaries developed by Intel for SpaceX;
• schematics, documents, tools + firmware for unreleased Tiger Lake platform;
• Kabylake FDK tutorial videos;
• Intel Trace Hub + decoder files for various Intel ME versions;
• Elkhart Lake Silicon Reference and Platform Code Samples
• Verilog related data for various Xeon platforms;
• debugging of BIOS / TXE builds for various platforms;
• Bootguard SDK (encrypted zip);
• Intel Snowridge / Snowfish Process Simulator ADK;
• various schemes;
• Intel Marketing Templates (InDesign).

Intel officials said they were already investigating the situation, but denied that the company was affected by the hack. Instead, they believe that the leak could have occurred because someone got access to the Intel Resource and Design Center, downloaded confidential data from there without permission, and then share it with a Swiss researcher.

Interestingly, the attacker himself claims that he gained access to the information through an unprotected server hosted in the Akamai CDN, and not using the Intel Resource and Design Center account.

The post Intel investigates data leak: 20 GB of source codes and documents appeared first on Gridinsoft Blog.

The manufacturer also released updated microcodes for processors vulnerable to the new CrossTalk MDS problem. But CrossTalk was not limited to this, and this week it became known about another problem that also threatens Intel processors. This no less serious vulnerability is called SGAxe, and it is a variation of the speculative attack CacheOut, discovered in early 2020.

Let me remind you that CacheOut belongs to the class of vulnerabilities of Microarchitectural Data Sampling (MDS), which includes RIDL, Fallout and ZombieLoad, and rna can lead to data leakage from Intel processors, virtual machines and SGX enclaves. It’s also worth noting that CacheOut is a kind of successor to another processor problem, Foreshadow, which first used the L1 cache to extract SGX keys.

“The measures Intel took to eliminate side-channel attacks on SGX (firmware updates and new architectures) were not enough”, – said representatives of the research team that discovered CacheOut and SGAxe problems.

Due to this, exploitation of the SGAxe problem allows an attack of the transient execution type, which leads to the restoration of trusted by the Intel certification center SGX cryptographic keys.

The certification mechanism is an important part of SGX. In fact, with its help, enclaves can prove to third parties that they are correctly initialized and work on a true Intel processor. In particular, this allows making sure that the software running inside the CPU has not been superseded. Thus, extracting SGX certification keys allows attackers to pretend to be a legitimate Intel SGX machine from a cryptographic point of view.

Researchers note that the attack will work even if the SGX enclave is in standby mode, therefore, it bypasses all hardware defenses.

“If the certification keys of a machine are compromised, any secrets provided by the server can be read right away by an untrusted client host application, while all output supposedly created by client-side enclaves cannot be considered reliable. In fact, it makes all SGX-based DRM applications useless, as any secret can be easily restored”, — experts explain.

A complete list of processors for which SGAxe is dangerous has been published by Intel Product Security Incident Response Team (PSIRT) and can be seen here.

Although Intel have already released fixes for the CacheOut problem in January, now it is planned that Intel will update the microcode again to protect against CacheOut and SGAxe and address the root cause of these vulnerabilities.

The company will also restore the Trusted Compute Base (TCB), which will invalidate all previously signed and compiled certification keys.

“This process ensures that your system is in a safe mode and can reuse remote certification”, — write the researchers.

Let me remind you that we talked about the attacks of Snoop and Load Value Injection, which also possess serious threats to Intel.

The post SGAxe attack endangers Intel processors appeared first on Gridinsoft Blog.

100 absolutely “ridiculous” Microsoft patches were presented in February “Patch Tuesday”, but among them was the sensational 0-day vulnerability in Internet Explorer, which actively used attackers.

Overall, the total number of corrections issued by the company this year accounts 616, and this is almost the same as for the entire 2017.

“This time there were no 0-day vulnerabilities, which means that any of the fixed bugs was under attack”, – said Microsoft engineers.

Of all 129 vulnerabilities, only 11 received critical status (they affect Windows itself, the Edge and Internet Explorer browsers, as well as SharePoint).

Another 109 problems are rated as important (they affected Windows, company’s browsers, Office, Windows Defender, Dynamics, Visual Studio, Azure DevOps and Android applications).

The most serious problems this month include:

• CVE-2020-1181 – remote code execution in Microsoft SharePoint
• CVE-2020-1225, CVE-2020-1226 – remote code execution in Microsoft Excel
• CVE-2020-1223 – remote code execution in Word for Android
• CVE-2020-1248 – remote code execution in the Windows Graphics Device Interface (GDI)
• CVE-2020-1281 – remote code execution in Windows OLE
• CVE-2020-1299 – remote code execution when processing .LNK files
• CVE-2020-1300 – remote code execution in the print spooler component
• CVE-2020-1301 – remote code execution in Windows SMB
• CVE-2020-1213, CVE-2020-1214, CVE-2020-1215, CVE-2020-1216, CVE-2020-1230, CVE-2020-1260 – remote code execution in the VBScript engine

However, not only Microsoft has prepared patches for their products this week. So, the Adobe developers also fixed a number of serious problems in the Flash Player, Framemaker and Experience Manager.

SAP developers released 17 security bulletins and prepared patches for Apache Tomcat (CVE-2020-1938), two bugs in SAP Commerce (CVE-2020-6265, CVE-2020-6264), vulnerabilities in SAP Success Factors (CVE-2020- 6279) as well as issues in NetWeaver (CVE-2020-6275).

Intel has fixed more than 20 different vulnerabilities, including bugs in the Innovation Engine (CVE-2020-8675) and Special Register Buffer (CVE-2020-0543). The latter problem is called CrossTalk, and it allows you to “merge” confidential data from SGX enclaves.

The post On June “Patch Tuesday” Microsoft fixed 129 vulnerabilities in its products appeared first on Gridinsoft Blog.

Last week, Intel and AMD equalized number of discovered vulnerabilities, but as we will see right now, Intel processors are breaking ahead.

“The Snoop attack uses processor mechanisms such as a multilevel cache, cache consistency (coherence), and bus tracking”, – says Pawel Wieczorkiewicz.

Currently, most processors have a multi level cache memory, where data is stored during processing by the processor. Depending on the characteristics of the CPU, the cache can be single-level (L1), two-level (L2), or even three-level (L3). The most commonly used level is L1, which is divided into two. One section (L1D) is used to process user data, and the second (L1I) is used to process the instruction code of the CPU itself.

Due to its multi-core architecture and multi-level cache, data is usually stored simultaneously in several processor caches and even in RAM. Cache consistency is the process of synchronizing all levels of the cache in such a way that the same data is stored in L1, L2 and RAM as in L1D – the place where they begin to change.

Bus tracking is an operation in which the CPU updates all cache levels when data begins to change in L1D.

“Under certain conditions, malicious code can interfere with the process of monitoring the bus and cause errors that could lead to data leakage from the cache consistency process, namely, data that has been currently changed in L1D “, — found out Pawel Wieczorkiewicz.

However, unlike Meltdown and Specter, Snoop does not allow stealing large amounts of data. In addition, according to Intel, it is difficult to provide necessary conditions for an attack.

The engineer notified Intel about the problem, however, after examining the vulnerability, the company’s specialists concluded that the patch for the Foreshadow vulnerability (L1TF), released in 2018, also fixes it. A list of vulnerable Intel processors can be found here.

The post Snoop attack steals data from Intel processors appeared first on Gridinsoft Blog.