The SWAPGS vulnerability is a speculative execution side-channel vulnerability that allows bad actors to read data from privileged memory.
In order to increase performance in CPUs, a feature called speculative execution will execute instructions before it knows if they are needed or not. Vulnerabilities that target this feature are called side-channel attacks.
In a new side-channel attack discovered by Bitdefender, attackers “break the memory isolation provided by the CPU, allowing an unprivileged attacker to access privileged, kernel memory.”
This is done through the SWAPGS instruction found in 64-bit CPUs that when manipulated successfully can be used to leak sensitive information from kernel memory even when the malicious process is running with low user permissions.
This could allow attackers to steal any type of information that is stored in the memory, including chat messages, emails, login credentials, payment information, passwords, encryption keys, tokens, or access credentials.
The SWAPGS Attack, as they call it, circumvents the protective measures that have been put in place in response to earlier attacks such as Spectre and Meltdown. The new attack takes advantage of SWAPGS, a system instruction that is used by the operating system to switch between two Model Specific Registers. The SWAPGS attack is, in effect, a variant of the Spectre V1 attack.
A skilled attacker who has already compromised the targeted system could use a SWAPGS attack to gain access to data stored in the memory that they would normally not be allowed to access. They could use this to escalate privileges or obtain sensitive information, such as passwords and encryption keys.
According to Bitdefender, the vulnerability impacts millions of home and enterprise devices that use Intel CPUs supporting SWAPGS and WRGSBASE instructions. This includes a vast majority of CPUs made since 2012. The cybersecurity firm has published a whitepaper detailing its findings, along with a video showing an attack against a machine running Windows 10.
How easily can this attack be executed?
The chances of falling victim to a SWAPGS attack now that the details have been disclosed have increased, so users are advised to apply available updates as a matter of urgency if they have not already done so. However, it should be remembered that, as Botezatu admits, “this is not your run of the mill attack against regular computers, as running the SWAPGS attack is time-consuming.”
Your average threat actor would instead rely on lucrative, and easy to execute, attack methodologies such as phishing. “On the other side, exploiting this bug from a threat actor perspective brings significant advantages,” Botezatu warns “it circumvents anti-malware defenses and would leave no traces on the compromised system.”
Unpatched Windows systems running on 64-bit Intel hardware are susceptible to leaking sensitive kernel memory, including from user mode. The SWAPGS Attack finds a way around all known mitigation techniques deployed against previous side-channel attacks on vulnerabilities in speculative execution.
Addressing these vulnerabilities is extremely challenging. Since they lie deep within the structure and operation of modern CPUs, completely removing the vulnerabilities involves either take the place of hardware or put out of functionality that greatly enhances performance. Likewise, creating mitigation mechanisms is highly complex and can hamper performance gains achieved by speculative-execution features. For example, completely remove the possibility of side-channel attacks against the speculative-execution functionality of Intel CPUs would require a complete disabling of hyperthreading, which would seriously degrade performance.
Bitdefender has displayed how Hypervisor self-analysis stops the attack by removing conditions it needs to succeed on unpatched Windows systems. This mitigation has introduced no noticeable performance degradation. While deploying the patch from Microsoft is highly recommended, Hypervisor Introspection provides an effective compensating control until systems can be patched.
Hypervisor Introspection analyzes the memory of guest VMs and identifies objects of interest. Bitdefender mitigated this vulnerability, before the release of any applicable patch, by instrumenting each vulnerable SWAPGS instruction to make sure it doesn’t execute speculatively, preventing kernel memory leaks.
Despite their best efforts, many organizations struggle to deploy patches on an ideal timeline. Hypervisor Introspection helps them bridge the gap between the release and deployment of patches for serious security vulnerabilities.
Hypervisor self-analysis is unique to Bitdefender. Today, it is supported with Citrix Hypervisor, Xen, and KVM as a technology preview.
For any Cyber Security information contact firstname.lastname@example.org