Intel CPU hardware vulnerable to a privilege escalation attack

Robert Westervelt

The U.S. Computer Emergency Response Team (US-CERT) has issued an advisory warning that some Intel 64-bit chipsets contain software that is improperly installed, creating a hole that could be used by an attacker to escalate privileges

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

or break out of a virtual machine.

The difference in implementation can be exploited by an attacker to write to arbitrary addresses in the operating system’s memory.

Xen Security Team

“Intel claims this vulnerability is a software implementation issue, as their processors are functioning as per their documented specifications,” the US-CERT said in a vulnerability note issued last week. “However, software that does not take the unsafe SYSRET behavior specific to Intel processors into account may be vulnerable.”

Intel processors are not implementing error handling in its version of AMD’s SYSRET instruction, according to members of the Xen virtual machine security team, which disclosed the potential privilege escalation attack. “If an operating system is written according to AMD’s spec, but then run on Intel hardware, the difference in implementation can be exploited by an attacker to write to arbitrary addresses in the operating system’s memory,” according to the Xen team, which outlined the technical details of the vulnerability.

Microsoft addressed the flaw, issuing a security bulletin for its June 2012 Patch Tuesday updates. The company rated the update “important,” indicating an attacker must have valid login credentials to attempt to exploit the flaw. If successful, the attacker could run malware in kernel mode, making it difficult to detect by antivirus and other security technologies. The issue affects all 32-bit editions of Windows XP and Windows Server 2003; Windows 7 for x64-based Systems; and Windows Server 2008 R2 for x64-based Systems, the software giant said.

Similar advisories were issued by FreeBSD and Red Hat. In its advisory, Red Hat said the Xen hypervisor implementation contained in Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses. Red Hat issued an update addressing the flaws for Linux users.

The Xen team noted that organizations should get the patches deployed. The attack can work with hypervisors in virtual environments and operating systems.