New Spectre variation allow attackers recover data from System Management Mode

Share this…

A team of experts from Eclypsium presented a new variation of the Spectre attack, which allows attackers to recover the data hosted within the CPU system management mode.

Information security researchers devised this new variation that can allow attackers to recover the data stored within the System Administration Mode of the CPU (SMM) (also known as ring -2).

Experts excuse that SMM is an operating mode of x86 CPU in which normal execution is suspended, also the operating system.

spectre

If a code is sent to the SMM, the operating system is suspended and part of the UEFI / BIOS firmware executes commands with elevated privileges and with access to all data and hardware.

Professionals say, “One benefit of SMM is that it offers a distinct and isolated processor environment that operates transparently for the operating system or the executive and software applications.”

SMM mode was launched with Intel 386SL in the 90s. Intel CPUs run a memory protection mechanism, better known as range logging to protect sensitive contents of memory regions, SMM memory.

Information security experts commented that the SMM memory in Intel CPUs is protected by a type of range registers, better known as the System Administration Range Register (SMRR).

This study was based on a public concept test code for the vulnerability of the Specter 1 variant, CVE-2017-5753, to evade the SMRR mechanism and access the system management RAM (SMRAM) stored by the SMM and in where the SMM job data is executed.

“Since SMM normally has privileged access to physical memory, research shows that Specter-based attacks can expose other secrets in memory,” says the Eclypsium research report.

“These attacks allow an unprivileged malicious actor to read the contents of memory, such as SMM memory, exposing the SMM code and data that should be confidential, revealing vulnerabilities and data stored in SMM.”

The information security professionals brought the PoC code to a kernel driver and showed how it works from the kernel’s privilege level. Then they exploit the code from the privilege level of the kernel against the protected memory.

Experts explained that, “The kernel-level PoC exploit grants access to hardware interfaces, which gives malicious actors better control over the system hardware and access to different hardware interfaces such as physical memory, IO, PCI and interfaces. MMIO, in turn, also grants access to interfaces with a higher privilege level, such as SMI software. ”

“Afterwards, the PoC exploit is integrated into CHIPSEC to expand the tests. In our experiment, we tried to read the protected SMRAM memory, we mapped the physical addresses of SMRAM in the virtual address space and the SMRAM addresses were used as the target of exploit. “, added the information security researchers.

It is believed that it is possible to obtain the same result using the Specter 2 variant (CVE-2017-5715).

The new technique was reported to Intel in March. Intel commented that the security updates released for the Specter variant 1 and 2 should be sufficient to mitigate this new attack.