Intel and software vendors have started informing users about a new vulnerability involving side channel speculative execution that could be exploited by malicious actors to obtain sensitive information from the targeted system.
Dubbed LazyFP, the security hole is related to the floating point unit (FPU), also known as the math coprocessor. The FPU is used by the operating system when switching between processes – it saves the state of the current process and restores the state of the new process.
There are two types of switching, Lazy FPU and Eager FPU switching. Lazy FPU switching provides some benefits for performance, but on modern systems the gain has become negligible, which has led to an increasing use of Eager switching.
Researchers discovered recently that if the Lazy method is used, it may be possible for an attacker to access FPU state data, which can contain sensitive information, such as cryptographic keys.
“System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value,” Intel said in an advisory.
The vulnerability, tracked as CVE-2018-3665, is similar to Meltdown, specifically Variant 3a, but the issue has been assigned only a “medium” severity rating.
Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology and Zdenek Sojka from SYSGO AG have been credited for finding the vulnerability. Colin Percival has also been credited, but the researcher says he only wrote an exploit for the flaw.
Cyberus has published a blog post for the LazyFP vulnerability, but it has withheld some details at Intel’s request.
Each advisory, blog post and discussion focusing on LazyFP provides some clues as to which systems may be affected.
Intel says the vulnerability affects its Core processors, which are marketed as Xeon for servers. The company claims the issue has been addressed by operating system and hypervisor software developers for many years, and vendors that are still impacted should release updates in the coming weeks.
Systems using AMD or ARM processors do not appear to be impacted. “Based on our analysis to-date, we do not believe our products are susceptible to the recent security vulnerability identified around lazy FPU switching,” AMD told SecurityWeek.
Microsoft has yet to say exactly which versions of Windows are vulnerable, but the company noted that “Lazy restore” is enabled by default in all versions of the operating system and cannot be disabled. The tech giant assured customers that VMs running in Azure are not at risk.
AWS told customers that its infrastructure is not affected, but advised them to ensure their operating systems are always up to date. The Xen Project says systems running any version of Xen are vulnerable.
In the case of Linux, recent versions of the kernel use Eager FPU. On systems using older processors, the vulnerability can be mitigated by booting the kernel with the “eagerfpu=on” parameter to enable Eager FPU. Red Hat, DragonflyBSD and OpenBSD have published advisories.