BCBS
Bounds Check Bypass Store (BCBS) – Spectre 1.1, Spectre 1.2 (CVE-2018-3693)
Published
7 October 2018
Vladimir Kiriansky and Carl Waldspurger discovered that systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side channel analysis. This issue is similar to CVE-2017-5753 with the difference being that CVE-2017-5753 was specific to bypassing the bounds check on a load and this issue pertains to bypassing the bounds check on a store. Intel recommends similar mitigation techniques - utilize lfence
as a barrier between bounds check and store to ensure that the bounds check operation completes before the store is executed. Analysis is ongoing to see whether additional code locations require lfence
placements. Users should update their systems regularly to ensure that they have the latest security fixes in place. The lfence
instruction was added via microcode. Users should ensure that they are utilizing the latest microcode to ensure that side channel remediations are in place.
For more information on these issues, please see the following reference documents:
- Intel Analysis of Speculative Execution Side Channels Revision 4.0, Updated July 2018
- Intel Analyzing potential bounds check bypass vulnerabilities
- Intel Speculative Execution Branch Prediction Side Channel and Branch Prediction Analysis Method
- Speculative Buffer Overflows: Attacks and Defenses
- Speculative Load Hardening
Timeline
- 2018 July 10 at 17:00 UTC: the issue is made public