Monday, August 6, 2018

The Spectre Looms Over Us Still

The Spectre attack has been an unexpected danger to our security since January of this year. It’s an attack on most modern processors that use speculative execution to leak sensitive information to a potential attacker. Speculative execution allows processors to execute instructions in parallel, and in cases where instructions are dependent upon the results of other instructions, tries to predict which instructions are likely to take place. When there are hundreds of instructions to run, predictions provide a significant gain in performance. The Spectre attack starts by miss training the processor with processes that will cause erroneous speculative executions which also create covert side channels for exfiltration. Then the attacker has the victim perform an action that usually is allowed and requests sensitive information. Permissions are not checked until the instructions are committed so it has no problem reading the sensitive information and modifying the cache state in a vulnerable way. The attacker then retrieves that information despite the erroneous instructions being discarded.

Researchers at University of California, Riverside (UCR) have discovered a new form of the attack named SpectreRSB that uses the Return Stack Buffer (RSB) instead of the Branch target Buffer to acquire and smuggle sensitive information. Instead of causing the Branch Predictor to miss speculate onto a poisoned branch, SpectreRSB poisons the return address of the RSB. 

Intel already has a patch but only on the Core-i7 Skylake and later processors. The patch is called RSB refilling and it fills the RSB with a benign address whenever there is a switch to the Kernel. Some of the proposed attacks in the UCR paper can bypass RSB refilling, but the researchers believe their proof of concept attacks are unlikely to be practical because of the difficulty in implementing the gadget that smuggles the return address to a recoverable cache. 
Sources: 

More Vulnerabilities in the Smart Home

Researchers at Cisco Talos recently spent some time probing the Samsung SmartThings Hub, a device designed to be the center of your smart home. They discovered a number of vulnerabilities that allow remote information leakage up to arbitrary remote code execution. The device is designed to communicate with a range of devices over Ethernet, Z-Wave, Bluetooth, and Zigbee. These devices could be smart locks, IP cameras, alarm systems, thermostats and more.

The researchers found a total of 20 vulnerabilities in the hub. They noted that while each of the vulnerabilities by themselves might not have a great impact on the security of the device, in many cases the vulnerabilities can be chained together to form a complete exploit. Three vulnerability chains were identified that allows an attacker to have complete control over the device.

The first chain allows for remote code execution on the hub. By using a vulnerability that allows for the execution of arbitrary SQL queries an attacker would be able to trigger a different vulnerability that allows for memory corruption. Specially crafted queries would allow the attacker to execute arbitrary code via this attack vector. The second chain allows the attacker to get a glance inside the ‘hubCore’ process of the device, leaking sensitive information. This is accomplished via a vulnerability that allows an empty file to be created anywhere on the device. While at first glance this vulnerability doesn’t seem impactful, the researchers learned that creating this empty file in a specific location causes the ‘hubCore’ process to crash and create a memory dump.
The third vulnerability in this chain allows for the capture of this information over the network. The last of the 3 chains allows for remote code execution with no prior authentication. This chain relies on sending specially crafted queries to the ‘video-core’ process running on the device. A vulnerability in the HTTP pipeline allows the requests to reach the vulnerable service with an arbitrary payload that triggers a buffer overflow, allowing for remote code execution. While the third exploit chain requires no authentication, the first two have varying requirements depending on a number of factors. In some cases anyone holding a valid OAuth bearer token can talk to the remote servers in order to trigger some of the vulnerabilities. Malicious apps designed for the hub can also be used to trigger the exploits.
Cisco Talos reported all the found vulnerabilities to Samsung. Samsung responded by fixing the bugs and pushing a firmware update to all connected SmartThings Hubs. While the hubs are designed to update automatically, it is always a good idea to verify the firmware version currently running and update manually if necessary.

Sources: 