NetSpectre is a remote Spectre attack that allows stealing data over the network
28.7.18 securityaffairs
Vulnerebility

Researchers discovered a new variant of the Spectre attack, dubbed NetSpectre, that allows to steal data over the network from the target system.
A group of researchers has devised a new variant of the Spectre attack, dubbed NetSpectre, that could allow an attacker to steal data over the network from the target system.

NetSpectre is described as a remote side-channel attack that like the Spectre variant 1 (CVE-2017-5753) exploit a flaw in the speculative execution mechanism. The technique could bypass address-space layout randomization on the remote system and allow the attackers to execute code on the vulnerable system.

The original Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

The researchers that discovered the NetSpectre attack explained that the technique leverages the AVX-based covert channel to capture data at a deficient speed of 60 bits per hour from the target system.

“we present NetSpectre, a generic remote Spectre variant 1 attack. ” reads the research paper.

“Beyond retrofitting existing attacks to a network scenario, we also demonstrate the first Spectre attack which does not use a cache covert channel. Instead, we present a novel high performance AVX-based covert channel that we use in our cachefree Spectre attack. We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system”

An attacker could carry out the Netspectre attack to read arbitrary memory from the systems that have a network interface exposed on the network and that contain the required Spectre gadgets.

“As our NetSpectre attack is mounted over the network, the victim device requires a network interface an attacker can reach. The attacker must be able to send a large number of network packets to the victim,” continues the paper.

“Depending on the gadget location, the attacker has access to either the memory of the entire corresponding application or the entire kernel memory, typically including the entire system memory.” the researchers said.

An attacker just needs to send a series of specially crafted requests to the target machine and observe the timing difference in the network packet response time to leak a secret value from the machine’s memory.

“In contrast to local Spectre attacks, where a single measurement can already be sufficient, NetSpectre attacks require a large number of measurements to distinguish
bits with a certain confidence” continues the paper.

The expert reported the NewSpectre attack to Intel in March and the tech giant addressed the issue with the first set of security patches it has released.