Updated: Intel denies product flaw, says other chipmakers affected.
A major flaw in Intel CPUs is expected to be revealed as early as this week, with the fix likely to have a performance hit on Intel-based machines.
Update, 4 Jan 8.28am AEST: Intel has confirmed it is affected by a still-undisclosed “exploit” but denied there is a “bug” or “flaw” in its products. It also said the problem is not “unique to Intel”. Intel’s full statement is appended below.
Clues as to the type and severity of the flaw were published in a blog post by ‘Python Sweetness’ that was widely shared among infosec researchers.
The flaw appears to offer a “side-channel” to skirt address space layout randomisation (ASLR) protections in a range of operating systems. ASLR is used to guard against memory corruption vulnerabilities, such as buffer overflow attacks.
The Python Sweetness post drew inferences about the flaw from the “urgent development of a software mitigation” which had recently landed in the Linux kernel, as well as “in NT kernels in November [2017].”
These mitigations appeared to be workarounds for a flaw that would ultimately require hardware changes to “fully resolve”.
In the days since the post, further details have emerged that point to a large-scale problem that is likely to affect a range of major cloud providers that run their services on Intel-based kit.
“People are speculating on a possible massive Intel CPU hardware bug that directly opens up serious vulnerabilities on big cloud providers which offer shared hosting (several VMs on a single host), for example by letting a VM read from or write to another one,” a major thread on Reddit states.
Several major cloud providers have notified customers of an impending “security update” over the next week.
Amazon has scheduled reboots to run over this weekend, while Microsoft has advised Azure customers of a need to reboot their VMs next week.
Neither advisory provides specifics on the apparent flaw, but the Reddit post notes that cloud providers were included on communications around software mitigations.
Fixing the issue is expected to incur a performance impact on affected machines.
While some have speculated this could be as high as a 30 percent hit, this appears to be OS and workload dependent, with at least one suggestion that the typical impact could be closer to five percent.
Others in the open source community have also warned of “regressions” around performance as a result of any fix, though they noted that “real-world scenarios probably will see somewhat smaller impact” than figures currently being speculated.
It isn’t just servers that are affected: 9to5Mac reports that Intel x86-based Macs are also likely to suffer, though it is unclear how Apple planned to work around the problem.
Update, 4 Jan 8.28am AEST: Intel’s full statement.
“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed.
Intel believes these exploits do not have the potential to corrupt, modify or delete data.
Recent reports that these exploits are caused by a “bug” or a “flaw” and are unique to Intel products are incorrect.
Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.
Intel is committed to product and customer security and is working closely with many other technology companies, including AMD, ARM Holdings and several operating system vendors, to develop an industry-wide approach to resolve this issue promptly and constructively.
Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.
Intel is committed to the industry best practice of responsible disclosure of potential security issues, which is why Intel and other vendors had planned to disclose this issue next week when more software and firmware updates will be available. However, Intel is making this statement today because of the current inaccurate media reports.
Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available. Following good security practices that protect against malware in general will also help protect against possible exploitation until updates can be applied.
Intel believes its products are the most secure in the world and that, with the support of its partners, the current solutions to this issue provide the best possible security for its customers.”
