Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel Cache Poisoning Is Dangerously Easy On Linux

Posted by timothy on from the anything-you-set-your-mind-to dept.

Julie188 writes "A researcher recently released proof-of-concept code for an exploit that allows a hacker to overrun an Intel CPU cache and plant a rootkit. A second, independent researcher has examined the exploit and noted that it is so simple and so stealthy that it is likely out in the wild now, unbeknownst to its victims. The attack works best on a Linux system with an Intel DQ35 motherboard with 2GB of memory. It turns out that Linux allows the root user to access MTR registers incredibly easily. With Windows this exploit can be used, but requires much more work and skill and so while the Linux exploit code is readily available now, no Windows exploit code has, so far, been released or seen. This attack is hardware specific, but unfortunately, it is specific to Intel's popular DQ35 motherboards."

11 of 393 comments (clear)

  1. "Exploit" implies there was an actual hole by amorsen · · Score: 5, Insightful

    I would recommend that you don't give out root access to script kiddies on systems where you don't want them to install root kits.

    --
    Finally! A year of moderation! Ready for 2019?
  2. Re:Queue Microsoft Trolls in by Svartalf · · Score: 4, Insightful

    No kidding...

    It'd be as easy (different effort...but just as easy...) with Windows or MacOS- because of the nature of the exploit in question.

    This isn't a Linux thing. It's an INTEL issue, of which there's an exploit in the wild under Linux that gets around much of the security in the system.

    --
    I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
  3. Re:Linux by Anonymous Coward · · Score: 5, Insightful

    This attack still requires root access, so all this says is that if you have an Intel DQ35 motherboard, are running linux and you've already been rooted, then someone could probably install a really sneaky rootkit.

    Not a nonissue, but also not the end of the world.

  4. Re:First you need root on the box by victim · · Score: 4, Insightful

    The significance of SMM buried rootkits is that you can remove and shred the hard drive of your compromised machine, replace it with a new one, do a fresh install, and still be compromised.

  5. Re:It requires root privileges and is hw limited . by Creepy+Crawler · · Score: 4, Insightful

    You fail.

    hypervisor is higher. And code injected in there, or trojan made as hypervisor and you're screwed.

    --
  6. Re:First you need root on the box by blueg3 · · Score: 4, Insightful

    If you have root you can plant a root kit in any number of ways, heck just replace the kernel if you want.

    Replacing the kernel tends to trigger systems designed to catch intrusions, as it's painfully obvious. Running your malware persistently without being detected by the system is the point of a rootkit.

  7. Re:First you need root on the box by h4rr4r · · Score: 5, Insightful

    If you can stick a pen drive in the box you have physical access and that means all security pretty much goes out the window.

  8. Re:First you need root on the box by LoRdTAW · · Score: 5, Insightful

    I read the PDF of the exploit and from what it states the code injected into the SMRAM is effectively being executed in a region where no OS or hyper visor can touch. So from what I understand a system running virtualization software only needs one of the guest operating systems to become compromised in order for the attacker to gain control of the entire system. From there the other guest/host OS's or possibly the hyper visor can be attacked. So yes for a single OS system it is redundant to attack the SMRAM because if you already have root then whats the point?

    But even with the ability to attack other software on a virtualized DQ35 system, their numbers I am sure are close to none. The DQ35 board is a uATX desktop board. If it were specific to Intel server boards or Intel based server boards then I would worry.

    I wonder if this exploit is truly only limited to the DQ35. How many different Intel systems have they tested this on. And what about AMD systems, are they vulnerable to similar attacks?

  9. Re:Queue Microsoft Trolls in by Roger+W+Moore · · Score: 4, Insightful

    Yes but for Linux they require root access and I would argue that acquiring that in the first place requires a lot of work and skill whereas with Windows is it generally handed to you as long as you are sat in front of the machine.

  10. Re:Linux by dtolman · · Score: 5, Insightful

    Why is this insightful? This is a problem that can be exploited through a hosted VM! If you've rooted one VM on a system, now you can jump to the host server and all the other hosted VM's. And oh yeah - theres no way to detect it at all!!!

  11. Re:Queue Microsoft Trolls in by overlordofmu · · Score: 5, Insightful

    And don't forget about the encrypted root file system. Take my drive. Hell, take my whole machine and you still don't have my data.

    Actually, I like my machine. Please, don't take it. I was just trying to make a point.