Spectre Variants 1.1 & 1.2

Two new variants of the Spectre side channel attack have been discovered, neither of which are mitigated by previous Spectre security patches. eSentire Threat Intelligence assesses with medium confidence that, if weaponized, these vulnerabilities would represent a significant threat to clients. A successful attack using Spectre variant 1.1 may result in the theft of sensitive information such as usernames and passwords. The successful use of variant 1.2 could allow an attacker to overwrite ‘read-only’ data, effectively escaping a sandbox environment. In order for exploitation to occur, Spectre v 1.1 and v 1.2 require malicious code to already be on the system. The complexity and requirement of the previous infection make the weaponization of these vulnerabilities unlikely in the near future.

What we’re doing about it

• eSentire Threat Intelligence is monitoring this ongoing event for further information
• esRECON will update its vulnerability plugins as updates become available to assist in remediating these variants

What you should do about it

• Apply vendor patches once they are made available
• Ensure that employees are educated about ongoing threats

Additional information

• There are two alarming aspects found in the new Spectre variants that were not present in other iterations of the vulnerability. Firstly, variant 1.2 allows for code execution of pieces of memory that were meant to be read-only protected; this opens up new areas for an attack that have not been seen before. Secondly, variant 1.1, although very similar to Spectre 1, currently has no instrument which would allow detection.
• Spectre variants affect a massive number of devices. Variants 1.1 and 1.2 are known to affect both Intel and ARM processors and it is widely suspected that AMD processors are affected as well. This means that most modern operating systems are susceptible. Security patches have not yet been released for either new Spectre variant.
• eSentire has not observed an attack utilizing Spectre at this time and no major vendor has indicated that these attacks exist in the wild at this time.
• Spectre1.1, CVE-2018-3693, creates speculative buffer overflow to retrieve data from CPU memory sections that would otherwise be untouchable. Spectre variant 1.2 has yet to be assigned a public CVE number. Similar to Spectre variant 3, this attack relies on lazy PTE enforcement to overwrite read-only data.
• Technical details and additional information on both new Spectre variants can be found in the white paper Speculative Buffer Overflows: Attacks and Defenses[1]

References:

[1] Speculative Buffer Overflows: Attacks and Defenses
https://people.csail.mit.edu/vlk/spectre11.pdf