We just saw the disclosure of CVE-2017-575, dubbed “NetSpectre”. Although many side channel attacks have been shown over the past few quarters, this one is fundamentally different. Instead of the malicious code being run directly on the host system, it can be run remotely adding a new level of security danger.
Researchers from the Graz Institute of Technology published a paper called “NetSpectre: Read Arbitrary Memory over Network” that you can access here. From the paper:
In this paper, we present NetSpectre, a new attack based on Spectre variant 1, requiring no attacker-controlled code on the target device, thus affecting billions of devices. Similar to a local Spectre attack, our remote attack requires the presence of a Spectre gadget in the code of the target. We show that systems containing the required Spectre gadgets in an exposed network interface or API can be attacked with our generic remote Spectre attack, allowing to read arbitrary memory over the network. The attacker only sends
a series of crafted requests to the victim and measures the response time to leak a secret value from the victim’s memory.
NetSpectre also does not use cache for the branch prediction attack. Instead, it uses an AVX side channel to deliver higher performance attack rates.
NetSpectre Good News: It is Slow
On the upside, NetSpectre is not what one would call fast. The standard attack rate yields about 15 bits of memory read per hour. Researchers have a higher performance AVX attack that quadruples this to about 60 bits per hour. At that rate, accessing large amounts of memory address space will still take a long time.
NetSpectre is scary. Once a paper like this is released, a host of security researchers will attempt to increase the speed of the attack making it potentially more useful. Without the need to have physical access to the machine, this is nothing short of scary in the server space.
We want to applaud the team behind NetSpectre for practicing responsible disclosure. The team notified Intel on March 20, 2018, and agreed to a late July 2018 release date. This is much better than what we noted in New Bizarre AMD EPYC and Ryzen Vulnerability Disclosure which was not responsible disclosure. Great job team from Graz.