Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Should You Be Concerned About the Recently Leaked Spectre Exploits?

A researcher revealed on Monday that some exploits for the notorious CPU vulnerability known as Spectre were uploaded recently to the VirusTotal malware analysis service. While some experts say this could increase the risk of exploitation for malicious purposes, others believe there is no reason for concern.

A researcher revealed on Monday that some exploits for the notorious CPU vulnerability known as Spectre were uploaded recently to the VirusTotal malware analysis service. While some experts say this could increase the risk of exploitation for malicious purposes, others believe there is no reason for concern.

The Spectre and Meltdown vulnerabilities were disclosed in January 2018, when researchers warned that billions of devices powered by processors from Intel, AMD and other vendors were impacted. An attacker with access to the targeted system can exploit the flaws to obtain potentially sensitive data. Patches and mitigations have been released, but many devices likely remain vulnerable, including due to the impact of the patches on performance and the relatively low risk of exploitation in the wild.

Spectre exploit leakedIn a blog post titled Spectre exploits in the “wild”, researcher Julien Voisin shared a brief analysis of a Spectre exploit for Linux that had been uploaded to VirusTotal in early February. The exploit attempts to leverage CVE-2017-5753 — this is one of the two CVEs assigned to the Spectre flaw — for privilege escalation. A Windows exploit was also found on VirusTotal.

An analysis of the exploits spotted by Voisin showed that they came from offensive security firm Immunity and they were part of its CANVAS product, which includes hundreds of exploits, an automated exploitation system, and an exploit development framework for pentesters and researchers.

The Spectre exploit was developed by Immunity in 2018, shortly after the existence of the Spectre and Meltdown vulnerabilities came to light. However, a copy of CANVAS containing more than 800 exploits, including the Spectre exploits, started emerging recently on hacker forums, which is likely how they ended up on VirusTotal.

Voisin noted that the exploit still had a zero detection rate on VirusTotal when he had blogged about it. At the time of writing, it’s detected by 27 of 63 engines on VirusTotal.

Some members of the cybersecurity community have raised concerns about the availability of what some people described as “weaponized Spectre exploits.”

“More than three years after the discovery and publication of the Spectre vulnerability, there are signs that it could be weaponized, not just a POC. This new discovery has increased the potential risk,” Tal Morgenstern, co-founder and CPO of vulnerability remediation orchestration firm Vulcan Cyber, said via email.

Advertisement. Scroll to continue reading.

However, he added, “We still need to consider that this is a local exploit, where an attacker would need to gain remote access by other means, making this a multistep attack.”

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, also believes the wider availability of exploits could increase the risk posed by the flaws, particularly in the case of users with older and unpatched operating systems, but he also admitted that “the technical requirements of a threat actor are still significant.”

Moritz Lipp, one of the researchers who discovered the Spectre vulnerability, told SecurityWeek that he does not believe the wider availability of the exploits makes a big difference now, pointing out that there are some conditions for the exploit to work, including the SMAP CPU feature to be disabled and the presence of an older version of the Linux kernel.

Lipp also suggested that it wouldn’t have been difficult for threat actors to create such exploits for Spectre given the proof-of-concepts (PoCs) that have been made available by the team that discovered Spectre and by researchers who found other similar CPU vulnerabilities.

Voisin told SecurityWeek that he published his blog post “to show that Spectre is a credible vector, but it doesn’t mean that everyone is able to write exploits for it.”

“Having a commercial-grade [exploit] shows that serious players have access to this kind of vectors,” the researcher explained. “It does increase a bit the chances of attacks of course, but only on the supported systems.”

He added that “there are better ways to escalate privileges on Linux, like the Baron Samedit exploit for sudo, or whatever privesc of the week on Windows.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...