Last night US-CERT (the Department of Homeland Security’s Computer Emergency Response Team) announced the public disclosure by researchers at endpoint security protection company Bitdefender of a new CPU-level information compromise vulnerability. Dubbed “SWAPGS”, the vulnerability is used to execute a “side channel” attack similar to the Spectre vulnerability announced (along with its companion vulnerability called “Meltdown”) disclosed by researchers back in 2018. SWAPGS is a system instruction (which means it can be executed only in kernel mode), available in 64-bit mode, and is intended to be used by only the operating system that s allows the kernel to quickly gain access to internal, per-CPU data structures, as soon as a transition is made from user-mode to kernel mode. That is a fancy way of saying that this CPU instruction is used to speed up processing, which is the same purpose of the vulnerable CPU instructions used to execute the Meltdown and Spectre side channel attacks.
Allegedly, the vulnerability affects all Intel and AMD x64 architecture microprocessors. However, AMD disputes that its processors have this vulnerability.
Forbes has an excellent description of the issue here: https://www.forbes.com/sites/daveywinder/2019/08/06/microsoft-confirms-new-windows-cpu-attack-vulnerability–advises-all-users-to-update-now/amp/
The US-CERT notice about the issue is at: https://www.us-cert.gov/ncas/current-activity/2019/08/06/swapgs-spectre-side-channel-vulnerability
Statements from Microsoft, Red Hat, and Google can be found here:
- Microsoft: Windows Kernel Information Disclosure Vulnerability
- Red Hat: Spectre SWAPGS gadget vulnerability
- Google: Spectre Side Channels
If you really want to dive deep into the issue, Bitdefender’s white paper about it can be found at https://businessresources.bitdefender.com/hubfs/noindex/Bitdefender-WhitePaper-SWAPGS.pdf
This is an example of responsible disclosure and the researchers worked with Intel and affected operating system publishers to ensure that the flaw was corrected prior to publishing their findings publicly. Microsoft has already mitigated the issue in a security update bundled as part of the July 9, 2019 “patch Tuesday” updates. Other operating system publishers have followed suit. Therefore, our guidance is to ensure that operating system security updates are applied to all systems as soon as possible.
As of now, there are no known weaponized exploits of this vulnerability being used in the wild. However, that does not mean that threat actors don’t already have knowledge of this flaw and are able to weaponize it. As when Meltdown and Spectre were disclosed in January of 2018, Assura’s Security Operations Center is being extra vigilant in monitoring for unusual activities and its live threat feeds will be updated in real time as indicators of compromise emerge. Assura’s security monitoring (Manged SIEM) customers are already being monitored for attacks using the Meltdown and Spectre flaws.
Assura’s systems have all OS publisher patches applied and we are coordinating with our technology partners to ensure that their infrastructures are adequately protected against this threat. We also believe that our endpoint security partner, Cylance, is well positioned with their AI engine to detect SWAPGS the way that they were with Spectre and Meltdown.
If you have additional questions about this threat, feel free to reach out to us at firstname.lastname@example.org. If you’re a Virtual ISO customer, feel free to reach out to your VISO for additional advice based on your specific environment.