Computer Owners Beware: SmashEx Could Be Used to Take Control of Your System

Threat researchers discover a new vulnerability with Intel processors potentially allowing bad actors to take control of users’ computers and execute malicious commands.

What is SmashEx?

Threat researchers from ETH Zurich, the National University of Singapore, and the Chinese National University of Defense Technology discovered the vulnerability (CVE-2021-0186, CVSS score: 8.2) in May and used it to experiment with a CPU attack called SmashEx. Researchers used it to “corrupt private data housed in the enclave and break its integrity,” The Hacker News stated.

The Hacker News explains the technical details of how the attack works,

“Introduced with Intel’s Skylake processors, SGX (short for Software Guard eXtensions) allows developers to run selected application modules in a completely isolated secure compartment of memory, called an enclave or a Trusted Execution Environment (TEE), which is designed to be protected from processes running at higher privilege levels like the operating system. SGX ensures that data is secure even if a computer’s operating system has been tampered with or is under attack.”

“For normal functioning, the SGX design allows the OS to interrupt the enclave execution through configurable hardware exceptions at any point,” the researchers outlined. “This feature enables enclave runtimes (e.g., Intel SGX SDK and Microsoft Open Enclave) to support in-enclave exception or signal handling, but it also opens up enclaves to reentrancy bugs. SmashEx is an attack which exploits enclave SDKs which do not carefully handle reentrancy in their exceptional handling safely.”

Experts point out that an enclave may also contain Outside Calls or OCALLS that interact with functions outside the trusted zone and then return to the enclave. When this occurs, there is a tiny window of time during which a bad actor could potentially interrupt the flow of information and intercept it, taking control and entering the enclave to gain access to private information.

Using this method, the hacker could potentially corrupt enclave memory leaking sensitive or private data, including credentials, RSA private keys, or other critical information.

The Hacker News warns ‘Since SmashEx affects runtimes that support in-enclave exception handling, the researchers noted that “such OCALL return flow and the exception handling flow should be written with care to ensure that they interleave safely,” and that “when the OCALL return flow is interrupted, the enclave should be in a consistent state for the exception handling flow to progress correctly, and when the exception handling flow completes, the enclave state should also be ready for the enclave to resume.”’

The researchers commented that,

“Asynchronous exception handling is a commodity functionality for real-world applications today, which are increasingly utilizing enclaves. Their research highlights the importance of providing atomicity guarantees at the OS-enclave interface for such exceptions.”

How Has Intel Responded?

Tech companies never enjoy hearing about a vulnerability that some research group has exposed as critical. However, Intel did the right thing and released patches to fix the issue upon hearing about it.

Intel released software updates for SGX SDK versions 2.13 and 2.14 for Windows and Linux, respectively. Microsoft also addressed the issue (CVE-2021-33767) with its July 2021 Patch Tuesday.

How Can Intel Users Stay Safe?

The latest battery of techniques exploited by hackers includes hitting the hardware, which means processor manufacturers like Intel must dramatically improve their firmware making it more secure.

Intel users can stay safe by patching the firmware and keeping all operating systems and software always updated. Watching the news for potential vulnerabilities is also recommended. Other tips include:

• Keep robust antivirus software running on all devices.
• Secure your network and computers with long, strong passwords.
• Never reuse passwords on multiple websites or devices.