Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel Cache Poisoning Is Dangerously Easy On Linux

Posted by timothy on from the anything-you-set-your-mind-to dept.

Julie188 writes "A researcher recently released proof-of-concept code for an exploit that allows a hacker to overrun an Intel CPU cache and plant a rootkit. A second, independent researcher has examined the exploit and noted that it is so simple and so stealthy that it is likely out in the wild now, unbeknownst to its victims. The attack works best on a Linux system with an Intel DQ35 motherboard with 2GB of memory. It turns out that Linux allows the root user to access MTR registers incredibly easily. With Windows this exploit can be used, but requires much more work and skill and so while the Linux exploit code is readily available now, no Windows exploit code has, so far, been released or seen. This attack is hardware specific, but unfortunately, it is specific to Intel's popular DQ35 motherboards."

6 of 393 comments (clear)

  1. "Exploit" implies there was an actual hole by amorsen · · Score: 5, Insightful

    I would recommend that you don't give out root access to script kiddies on systems where you don't want them to install root kits.

    --
    Finally! A year of moderation! Ready for 2019?
  2. Re:Linux by Anonymous Coward · · Score: 5, Insightful

    This attack still requires root access, so all this says is that if you have an Intel DQ35 motherboard, are running linux and you've already been rooted, then someone could probably install a really sneaky rootkit.

    Not a nonissue, but also not the end of the world.

  3. Re:First you need root on the box by h4rr4r · · Score: 5, Insightful

    If you can stick a pen drive in the box you have physical access and that means all security pretty much goes out the window.

  4. Re:First you need root on the box by LoRdTAW · · Score: 5, Insightful

    I read the PDF of the exploit and from what it states the code injected into the SMRAM is effectively being executed in a region where no OS or hyper visor can touch. So from what I understand a system running virtualization software only needs one of the guest operating systems to become compromised in order for the attacker to gain control of the entire system. From there the other guest/host OS's or possibly the hyper visor can be attacked. So yes for a single OS system it is redundant to attack the SMRAM because if you already have root then whats the point?

    But even with the ability to attack other software on a virtualized DQ35 system, their numbers I am sure are close to none. The DQ35 board is a uATX desktop board. If it were specific to Intel server boards or Intel based server boards then I would worry.

    I wonder if this exploit is truly only limited to the DQ35. How many different Intel systems have they tested this on. And what about AMD systems, are they vulnerable to similar attacks?

  5. Re:Linux by dtolman · · Score: 5, Insightful

    Why is this insightful? This is a problem that can be exploited through a hosted VM! If you've rooted one VM on a system, now you can jump to the host server and all the other hosted VM's. And oh yeah - theres no way to detect it at all!!!

  6. Re:Queue Microsoft Trolls in by overlordofmu · · Score: 5, Insightful

    And don't forget about the encrypted root file system. Take my drive. Hell, take my whole machine and you still don't have my data.

    Actually, I like my machine. Please, don't take it. I was just trying to make a point.