An information disclosure vulnerability has been disclosed in Intel Microprocessors. Lazy restored FP states are susceptible to speculative execution cache side-channel attacks, A process can infer FPU registry (AVX, MMX and SSE) values of other processes. CVE-2018-3665 has been assigned to track this issue. It does not affect AMD processors. Intel has addressed this vulnerability in INTEL-SA_00145. Microsoft has also acknowledged the vulnerability and has yet to comment on patches.
Lazy FP restore
Most modern microprocessors have a dedicated Floating Point Unit(FPU), it is used for high precision floating point operations for crypto,graphics etc. FPU contains its own dedicated registers for data,status,controls etc. As such its state is also maintained on a per process basis. When a process context switch occurs the FPU state needs to be preserved and restored as required ,similar to a processor’s general purpose registers. Ideally FPU state needs to be preserved and restored for every context switch. Unfortunately this is a costly operation and optimization techniques are employed to increase the performance.
Lazy FP restore is one such technique. As the name suggests storing/preserving of FP state is deferred/delayed until it is required. If process context switch has occurred and the new process does not involve FP instructions then FP state is not stored. On the other hand if an FP instruction is encountered then an exception (#NM, Device Not Available, No Math Coprocessor) is raised and the corresponding exception handler will store the current FP state in to the associated (previous) process memory. After which the FP instruction of the current process is executed and this time the FP operation goes through. Lazy FP restore is enabled by setting CR0.TS bit.
Exploitation
An #NM exception is raised if an FPU instruction is encountered and CR0.TS bit is not set (FPU is disabled). To exploit the LazyFP vulnerability we need to ensure that #NM is not raised. While FPU is disabled we will disclose the contents (of the previous process) of the FPU register by using flush and reload attack. We can use speculative execution to our advantage in this regard. The processor executes instructions speculatively if there no dependencies for an instruction. Reading an FP register into another register does not have any dependencies.
For eg. movq rax, xmm0 would trigger an #NM exception under normal execution, but this operation will be carried out speculatively and rolled back if branch prediction is wrong. We can carry out the flush-and-reload attack against rax and infer the value of xmm0. The PoC listed below is one of the methods that can be used to disclose contents of an FPU register.
mov dword [0], 0 ; trigger a pagefault movq rax, xmm0 ; read content of xmm0, would trigger #NM and rax, 1 ; mask bit 0 shl rax, 6 ; align to cache line mov dword [mem + rax], 0 ; access "mem" with offset depending on xmm0 content; #PoC by Cyberus Technology
The pagefault causes the processor execute the branch speculatively. This sample code will infer a bit from the xmm0 register.
Mitigation
Intel recommends vendors to use eager FP restore instead of lazy FP restore.
- RHEL-7 uses ‘eager’ FP restores on Sandy Bridge and newer Intel processors. For older processors the kernel needs to be booted with eagerfpu=on parameter. RHEL-6 and earlier version do not support this boot parameter, this will be addressed in future updates.
- GNU/Linux with kernel versions >= 3.7 also supports eagerfpu=on boot parameter.
- Lazy FP restore is enabled by default on Windows and cannot be disabled.
- AWS and VMs on Azure are not affected by this vulnerability.
Qualys Detection
Qualys will actively add detections as vendors release their patches addressing LazyFP vulnerability. Please apply the latest patches from respective vendors to address CVE-2018-3665. Qualys customer can scan their network with the QIDs listed (not exhaustive) below to detect vulnerable machines.
| QID | Description |
| 236847 | Red Hat Update for kernel (RHSA-2018:1852) |
| 371008 | Citrix Xen Security Updates (Advisory 267) |
| 157744 | Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel (ELSA-2018-4145) |
| 157743 | Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel (ELSA-2018-4134) |
| 157742 | Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel (ELSA-2018-4144) |
| 157741 | Oracle Enterprise Linux Security Update for kernel (ELSA-2018-1852) |
Update:
– Microsoft has released an advisory addressing CVE-2018-3665. Qualys will update its detection ASAP.
– Qualys customers can scan their network with QID : 91461 to detect vulnerable Windows targets.
Please continue to follow Qualys Threat Protection for coverage on this vulnerability.
References
CVE-2018-3665
Lazy FP state restore
Intel FP security issue
Lazy FPU Save/Restore (CVE-2018-3665)
ADV180016 | Microsoft Guidance for Lazy FP State Restore
Intel LazyFP vulnerability: Exploiting lazy FPU state switching
Xen Security Advisory 267 (XSA-267)