Researchers from Graz University of Technology have described a proof-of-concept variant of bounds check bypass (Spectre variant 1) (CVE-2017-5753) that they call NetSpectre.
The researchers demonstrate that Spectre gadgets in unpatched kernel or user code, when combined with a variant of Evict+Reload called Thrash+Reload and statistical analysis of network latency, could potentially be used to leak small amounts of data over a network (max. 60 bits/hour on LAN).
At the time of publication, Intel determined that while NetSpectre presents a different attack surface than local bounds check bypass attacks, the mitigation for NetSpectre is the same as mitigation for other Spectre variant 1 methods. As the researchers note, using lfence and software sequences that restrict speculative execution can mitigate potential gadget code identified by compilers or through code analysis. Additionally, the practical applicability of NetSpectre can be limited by network defense techniques such as those used to protect against DDoS attacks.
Operating systems developers, virtual machine manager developers, and application developers should follow the recommendations in Analyzing Potential Bounds Check Bypass Vulnerabilities and the Spectre variant 1 disclosure to mitigate their code against potential NetSpectre attacks. Intel is not aware of any instances of NetSpectre being deployed in real-world attacks. Always keep your systems up to date with the latest OS and VMM patches.
Protecting our customers and their data continues to be a critical priority for Intel, and we appreciate the efforts of the security community for their ongoing research.
Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources