What a terrible year for Intel security. First, we had the Meltdown and Spectre vulnerabilities that never seem to go away. Intel has now announced a new speculative runtime side-channel vulnerability involving “FP Lazy state restoration” that could allow a malicious program to read data that is being used by other processes.
So about that "Lazy FPU" vulnerability (CVE-2018-3665)… this probably ought to be a blog post, but the embargo just ended and I think it's important to get some details out quickly.
— Colin Percival (@cperciva) June 13, 2018
According to Intel, this new vulnerability affects all Intel Core-based microprocessors and is a real CPU error, so it doesn’t matter which operating system the user is running. It could be Windows, Linux, BSD or any other operation running an Intel Core-based CPU that uses “delayed FPU context switching”.
Deferred FPU context switching” is a performance optimization feature used by operating systems that only saves and restores FPU (Floating Point Unit) records, which are locations on the CPU that are used to store floating point numbers when needed. An error in the Intel CPUs allows another process to access these logs and the data they contain.
The problem is that these numbers are used for a variety of tasks, including cryptographic equations. This could allow an attacker to detect the numbers that make it easier to decrypt an encryption key.
Fortunately, the researchers noted that this vulnerability would be difficult to execute through a web browser, so its impact is less than previous speculative execution vulnerabilities, such as Meltdown. You can read more about the technical aspects of this vulnerability in this Twitter thread by Colin Percival.
Intel has said that this vulnerability has been addressed by operating systems and hypervisor software for many years.
“This problem, known as Lazy FP state restoration, is similar to variant 3a. It has already been addressed for many years by the operating system and hypervisor software used in many clients and data centers. Our industry partners are working on software updates to address this issue for the remaining affected environments and we expect these updates to be available in the coming weeks. We continue to believe in coordinated disclosure and are grateful to Julian Stecklina of Amazon Germany, Thomas Prescher of Cyberus Technology GmbH, Zdenek Sojka of SYSGO AG, and Colin Percival for informing us of this problem. We strongly encourage others in the industry to join in coordinated outreach as well.
Sellers are quick to issue safety warnings
Rumors about this bug have been circulating ever since OpenBSD and DragonflyBSDDragonflyBSD posted patches that fixed Intel’s vulnerabilities. These warnings indicated that there was an alleged hardware problem related to FPU registrations on Intel CPUs and they decided to apply a proactive patch to their operating systems.