BlindSide - hardware/kernel vulnerabilities

Updated -

Executive Summary

Red Hat Product Security is responding to a new attack vector known as "BlindSide." This is not a new flaw, but it is a new attack that probes memory contents using the hardware Speculative execution mechanisms.

This current attack side-steps existing Spectre mitigation.

Technical Details and Background

The VUSec whitepaper outlines how an attacker can use hardware speculative execution by side-stepping the current in-place speculative execution flaw mitigations, in combination with an existing (kernel) memory corruption vulnerability as a technique to suppress crashes while determining memory objects layout in memory, and effectively building memory layout probing primitives.

Being able to safely (without crashing) probe kernel memory layout is a foundational step in the exploitation chain that normally requires an information leak type of vulnerability to gather kernel memory layout to further leverage common attack vectors such as kernel memory corruption.

Affected Products

At this time, this specific flaw is only known to affect x86 architecture processors. Researchers tested their findings against Intel Whiskey Lake family, Intel Xeon E3-1505M v5, Xeon, E3-1270 v6, and Core i9-9900K CPUs, based on the Skylake, Kaby Lake, and Coffee Lake microarchitectures, respectively, as well as on AMD Ryzen 7 2700X and Ryzen 7 3700X CPUs, which are based on the Zen+ and Zen2 micro architectures. This issue affects all releases of Red Hat Enterprise Linux 8 and earlier.

Resolution

There is no resolution available at this time.

Additional References

VUSec paper

Youtube example