A new vulnerability in Intel, and possibly AMD, processors has been detailed and exploited in tests by a team of researchers from universities in Finland and Cuba. Dubbed PortSmash, the vulnerability is another classed as a side-channel attack in that one process running on a Hyperthreaded (HT) / Simultaneous Multithreading (SMT) processor can spy on another which is running on a partner thread.
News of PortSmash (CVE-2018-5407) broke just ahead of the weekend and code proof of concept, available on GitHub, demonstrates the attack works on Intel Skylake and Kaby Lake CPUs. This code was purposely limited so it could only target OpenSSL - and fixes have already been added to OpenSSL 1.1.1. The researchers strongly suspect that other architectures featuring SMT, especially AMD Ryzen systems, are also vulnerable to PortSmash style exploits.
While PortSmash is, as we said, another side-channel attack like Spectre, Meltdown or Foreshadow, the researchers say it is not that similar in other aspects. "Our attack has nothing to do with the memory subsystem or caching," one of the project researchers, Billy Brumley, told ZDNet. "The nature of the leakage is due to execution engine sharing on SMT (e.g. Hyper-Threading) architectures. More specifically, we detect port contention to construct a timing side-channel to exfiltrate information from processes running in parallel on the same physical core".
Brumley says that PortSmash requires malicious code to be running on the same physical core as the victim - but insists this isn't a huge hurdle. He postulates that attackers could "try to co-locate VMs with victims to end up running the exploit on the same physical core as the victim, but different logical core". Furthermore, PortSmash "definitely does not need root privileges," he said. Brumley hopes to "kill off the SMT trend in chips," on the gounds of security.
Intel was told about PortSmash on 1st Oct 2018 and readied a patch by 1st Nov. The following statement was provided by Intel as the PortSmash vulnerability news broke and reverberated:
"Intel received notice of the research. This issue is not reliant on speculative execution, and is therefore unrelated to Spectre, Meltdown or L1 Terminal Fault. We expect that it is not unique to Intel platforms. Research on side-channel analysis methods often focuses on manipulating and measuring the characteristics, such as timing, of shared hardware resources. Software or software libraries can be protected against such issues by employing side channel safe development practices. Protecting our customers' data and ensuring the security of our products is a top priority for Intel and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified."