A serious vulnerability has been found in the Intel CPUs that could permit an attacker to steal sensitive protected data such as passwords and cryptographic keys from other processes running in the same CPU core with simultaneous multi-threading feature enabled.
The vulnerability dubbed as PortSmash (CVE-2018-5407) is considered to be a dangerous side-channel flaw similar to those discovered in the past year which includes Meltdown and Spectre, TLBleed, and Foreshadow.
The flaw was discovered by the security researchers at Tampere University of Technology in Finland and Technical University of Havana, Cuba. The new side-channel vulnerability exists in Intel’s Hyper-Threading technology which is their implementation of Simultaneous MultiThreading (SMT).
Simultaneous MultiThreading is a technique for improving the overall performance of superscalar CPUs with hardware multithreading. It works by splitting up each physical core of a processor into virtual cores called threads and allowing each core to run two instruction streams at the same time.
SMT runs two threads in two independent processes alongside each other in the same physical core to boost performance. So, it is possible for one process to see what the other is doing.
According to the team, they have found a new CPU microarchitecture attack vector. The nature of the leakage is due to execution engine sharing on SMT (e.g., Hyper-Threading) architectures. They have detected port contention to construct a timing side channel to exfiltrate information from processes running in parallel on the same physical core.
So it is possible for an attacker to run a malicious PortSmash process together with the selected victim process on the same CPU core, allowing the PortSmash code to snoop on the operations performed by the other process by measuring the precise time taken for each operation.
PortSmash Attack to Steal OpenSSL Decryption Keys
The researchers tested the PortSmash attack against OpenSSL (version <= 1.1.0h) cryptography library and was able to steal the private decryption key using a malicious process running on the same physical core as the OpenSSL thread.
The PortSmash attack works on Intel’s Kaby Lake and Skylake processors at present but the researchers believe that the attack will work on other SMT architectures, including AMD’s, with some modifications to their code.
In August this year, after TLBleed and ForeShadow attacks were unveiled, Theo de Raadt, the founder of OpenBSD and leader at OpenSSH projects, advised users to disable SMT/Hyperthreading in all Intel BIOSes. He says that SMT is fundamentally broken because it shares resources between the two CPU instances and those shared resources lack security differentiators. He also suspected that there will be more hardware bugs and artifacts disclosed.
How to Protect Your Systems Against PortSmash Attack
Researchers reported the vulnerability to Intel security team last month, but the company failed to provide the security patches until 1 November. So, the team decided to disclose the exploit to the public.
They have promised to release detailed paper on the PortSmash attack, titled Port Contention for Fun and Profit.
The simple fix for the PortSmash vulnerability is to disable SMT/Hyper-Threading in the CPU chip’s BIOS until the company releases security patches. OpenSSL users can upgrade to OpenSSL 1.1.1 (or >= 1.1.0i if you are looking for patches).