A design flaw in all Intel chips produced in the last decade is responsible for a vulnerability that puts Linux, Windows and macOS-powered computers at risk, according to multiple press reports.
The flaw reportedly is in the kernel that controls the chip performance, allowing commonly used programs to access the contents and layout of a computer’s protected kernel memory areas. The Linux kernel community, Microsoft and Apple have been working on patches to their operating systems to prevent the vulnerability.
The Linux vulnerability was discovered in part through discussions in the Linux development forums referencing drastic overhauls in how the OS handles kernel memory.
Intel on Wednesday characterized the reports as incorrect, maintaining in an online post that the problem is not due to a bug or flaw, and that it is not unique to Intel products.
“The flaw is OS independent, so the impact is far more reaching than just Linux, including Windows, macOS, virtual and cloud environments,” said Chris Morales, head of security analytics at Vectra.
Fixing the problem entails making major changes at the operating system level. Current Linux patches involve separating the kernel’s memory from the user processes.
The flaw in the Intel chip involves the process used to ensure users do not have access to the kernel, Morales told LinuxInsider. That process has a bug that allows a user to execute code to read and access kernel level memory access.
It exposes critical information that would be stored there, like system passwords, he said, noting that a proof of concept that exploits the flaw already has been seen in the wild.
“This flaw in the Intel chipset will impact virtual and cloud environments that load entire systems in memory, which could expose workloads to other systems and applications that share the same hardware,” Morales added.
Linux and any other operating system patches for impacted Intel processors have to be rewritten to completely separate user memory space from the kernel memory space, according to Morales. Rewriting the OS to correct the flaw will require more computational resources.
At best, that will slow down the entire operating system. A patch for the kernel already has been written, and slowdowns in application performance already have been recorded, he said.
“This is an example of a flaw that has existed for years. We do not know who already may know about it, and even worse, may have already exploited it,” Morales warned.
Dealing With It
Regarding the impact on Linux systems, The Linux Foundation is not involved in vetting solutions for kernel problems, according to spokesperson Dan Brown.
“The Linux Foundation is a separate entity from the Linux kernel community,” he told LinuxInsider. “We support the community with resources and organizing things like events and training to help the community grow. The kernel developers themselves manage all technical aspects of Linux, including patching.”
The major OS developers have issued patches or are working on them. Linux has a patch with redacted release notes, though there are proofs of concept in the wild, noted Jason Kent, CTO at AsTech.
“The major news around this should not be another flaw. The real news here is the patch seems to have some major impact on system performance,” he told LinuxInsider.
The issue could be from regression — that is, an old bug resurfacing, he said, or it could be the new way to protect the system is much heavier and causes degradation.
Community Monitoring Needed
Dealing with this Intel chip flaw is more involved than the obvious need to patch. The community has to be extra mindful to not just patch and hope for the best, warned Kent.
“This one is going to need lots of monitoring to ensure the applications running on those devices are not suddenly unable to work with a standard workload. This could have wide implications of doubt being cast on vulnerability management programs in general, as well as how open source might be viewed,” he said.
This is not your typical common vulnerability, noted Dan Hubbard, chief security architect at Lacework.
It should be taken very seriously due to the large threat surface, he told LinuxInsider.
“While the community is building a fix for the vulnerability, customers should be deploying mitigating controls to protect their infrastructure and key assets,” Hubbard cautioned.
For public cloud, in particular, users should have the appropriate visibility and detection to identify possible exploits that may lead to significant breaches, he added.
Linux Impact Not Ignored
Intel and the Linux community appear to be doing everything they can to help people understand and address the issue via software patches, said Charles King, principal analyst at Pund-IT.
“The current patches are not perfect solutions,” he told LinuxInsider, but given the severity of the problem, it is critical that everyone does what they can to secure and repair affected systems.”
"…Intel on Wednesday characterized the reports as incorrect…"
Seems to be the ‘new normal’ for companies, be it a designed-in bug which has existed for years, or a designed-in stupid engineering-design trick to do away with user-replaceable batteries.
The ‘millennial mentality’, also known as ‘Facebook’ mentality: "It’s not wrong if you don’t get caught. If you do get caught, deny everything. NEVER admit to any culpability."