Security researchers have found a new way to abuse the speculative execution mechanism of modern CPUs to break security boundaries and leak the contents of kernel memory. The new technique abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre.

The vulnerability was discovered by researchers from security firm Bitdefender and was reported to Intel almost a year ago. Since then, it has followed a lengthy coordination process that also involved Microsoft, which released mitigations during last month’s Patch Tuesday.

SWAPGS allows the kernel to gain access to internal, per-CPU data structures, when a process transitions from user-mode to kernel mode. However, researchers from Bitdefender found that the instruction’s behavior when executed speculatively is poorly documented and has security implications.

There are three attack scenarios involving SWAPGS. One allows attackers to bypass KASLR (Kernel Address Space Layout Randomization), a mechanism in modern operating systems designed to make exploitation of vulnerabilities harder.

The second allows attackers to test if a certain value exists at a given kernel memory address from user space and the third, and the most serious one, can allow attackers to leak the contents of arbitrary kernel memory addresses. This is similar to the impact of the Spectre vulnerability and in fact the new technique is cataloged as a variant of Spectre version 1.

The performance of the attack is not great; the researchers estimate that attackers could leak a few bytes every few minutes by using their proof-of-concept exploit. However, they also believe that the leak rate can be significantly improved in the future.

Windows most vulnerable to SWAPGS vulnerability

What’s interesting about the attack is that it bypassed all existing software mitigations, including the Kernel Page Table Isolation (KPTI) mechanism that is supposed to fully isolate kernel memory in its own virtual address space, making Spectre- and Meltdown-like attacks harder.

The researchers focused their testing on Microsoft Windows, since it was the easiest target due to the way SWAPGS was used by the OS. The issue has been assigned the CVE-2019-1125 identifier.

“We’re aware of this industry-wide issue and have been working closely with affected chip manufacturers and industry partners to develop and test mitigations to protect our customers,” a Microsoft spokesperson said in an emailed statement. “We released security updates in July and customers who have Windows Update enabled and applied the security updates are protected automatically.”

While mitigations for the flaw were included in the July Windows patches, details were withheld until August 6 when Bitdefender released its whitepaper and Microsoft published a security advisory.

“A quick analysis of the Linux kernel revealed that although it contains a gadget which may be used in an attack, it lies inside the Non-Maskable Interrupt (NMI) handler,” Bitdefender researchers said in their paper. “We therefore believe that Linux would be difficult (if not impossible) to attack.”

Red Hat confirmed that its products are theoretically vulnerable, but noted in an advisory that there is currently no known way to exploit it successfully on systems running the Linux kernel. Even so, the company has released kernel updates and noted that the mitigations can have a small performance impact on Intel and AMD CPUs, which are the only ones affected by this issue.

“A quick analysis of the Hyper-V kernel and of the Xen hypervisor kernel revealed that the SWAPGS instruction is not used, so exploitation is impossible,” Bitdefender researchers said. “Other operating systems and hypervisors have not been investigated, although Microsoft, during the coordination of the disclosure, notified all the interested parties about this vulnerability.”

SWAPGS attack mitigated in software

Like Spectre version 1, the new SWAPGS attack can be mitigated directly in software and does not require microcode updates. That’s why Intel let Microsoft take the lead on coordinating the vulnerability disclosure.

“Intel, along with industry partners, determined the issue was better addressed at the software level and connected the researchers to Microsoft,” Intel said in an emailed statement. “It takes the ecosystem working together to collectively keep products and data more secure and this issue is being coordinated by Microsoft.”

This is just the latest in a long list of CPU vulnerabilities and variants that have come to light since the Spectre and Meltdown flaws were announced in January 2018. As the security research community continues to take a closer look at how modern processors and other hardware components work at a low level, more security issues are likely to be found.