Should You Be Concerned About the Recently Leaked Spectre Exploits?
A researcher revealed on Monday that some exploits for the notorious CPU vulnerability known as Spectre were uploaded recently to the VirusTotal malware analysis service. While some experts say this could increase the risk of exploitation for malicious purposes, others believe there is no reason for concern.
The Spectre and Meltdown vulnerabilities were disclosed in January 2018, when researchers warned that billions of devices powered by processors from Intel, AMD and other vendors were impacted. An attacker with access to the targeted system can exploit the flaws to obtain potentially sensitive data. Patches and mitigations have been released, but many devices likely remain vulnerable, including due to the impact of the patches on performance and the relatively low risk of exploitation in the wild.
In a blog post titled Spectre exploits in the “wild”, researcher Julien Voisin shared a brief analysis of a Spectre exploit for Linux that had been uploaded to VirusTotal in early February. The exploit attempts to leverage CVE-2017-5753 — this is one of the two CVEs assigned to the Spectre flaw — for privilege escalation. A Windows exploit was also found on VirusTotal.
An analysis of the exploits spotted by Voisin showed that they came from offensive security firm Immunity and they were part of its CANVAS product, which includes hundreds of exploits, an automated exploitation system, and an exploit development framework for pentesters and researchers.
The Spectre exploit was developed by Immunity in 2018, shortly after the existence of the Spectre and Meltdown vulnerabilities came to light. However, a copy of CANVAS containing more than 800 exploits, including the Spectre exploits, started emerging recently on hacker forums, which is likely how they ended up on VirusTotal.
Voisin noted that the exploit still had a zero detection rate on VirusTotal when he had blogged about it. At the time of writing, it’s detected by 27 of 63 engines on VirusTotal.
Some members of the cybersecurity community have raised concerns about the availability of what some people described as “weaponized Spectre exploits.”
“More than three years after the discovery and publication of the Spectre vulnerability, there are signs that it could be weaponized, not just a POC. This new discovery has increased the potential risk,” Tal Morgenstern, co-founder and CPO of vulnerability remediation orchestration firm Vulcan Cyber, said via email.
However, he added, “We still need to consider that this is a local exploit, where an attacker would need to gain remote access by other means, making this a multistep attack.”
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, also believes the wider availability of exploits could increase the risk posed by the flaws, particularly in the case of users with older and unpatched operating systems, but he also admitted that “the technical requirements of a threat actor are still significant.”
Moritz Lipp, one of the researchers who discovered the Spectre vulnerability, told SecurityWeek that he does not believe the wider availability of the exploits makes a big difference now, pointing out that there are some conditions for the exploit to work, including the SMAP CPU feature to be disabled and the presence of an older version of the Linux kernel.
Lipp also suggested that it wouldn’t have been difficult for threat actors to create such exploits for Spectre given the proof-of-concepts (PoCs) that have been made available by the team that discovered Spectre and by researchers who found other similar CPU vulnerabilities.
Voisin told SecurityWeek that he published his blog post “to show that Spectre is a credible vector, but it doesn’t mean that everyone is able to write exploits for it.”
“Having a commercial-grade [exploit] shows that serious players have access to this kind of vectors,” the researcher explained. “It does increase a bit the chances of attacks of course, but only on the supported systems.”
He added that “there are better ways to escalate privileges on Linux, like the Baron Samedit exploit for sudo, or whatever privesc of the week on Windows.”