The vulnerability resides in the way the memory management unit (MMU), a component of many CPUs, works and leads to bypass the Address Space Layout Randomization (ASLR) protection.
ASLR is a crucial security defense deployed by all modern operating systems from Windows and Linux to macOS, Android, and the BSDs.
In general, ASLR is a memory protection mechanism which randomizes the location where programs run in a device's memory. This, in turn, makes it difficult for attackers to execute malicious payloads in specific spots in memory when exploiting buffer overflows or similar bugs.
In short, for attackers, it's like an attempt to burglarize a house blindfolded.
But now a group of researchers, known as VUSec, from the Vrije University in the Netherlands have developed an attack that can bypass ASLR protection on at least 22 processor micro-architectures from popular vendors like Intel, AMD, ARM, Allwinner, Nvidia, and others.
So, merely visiting a malicious site can trigger the attack, which allows attackers to conduct more attacks targeting the same area of the memory to steal sensitive information stored in the PC's memory.
Here's How the attack works:
MMU, which is present in desktop, mobile and server chips and tasks to map where a computer stores programs in its memory, constantly checks a directory called a page table to keep track of those addresses.
Devices usually store the page table in the CPU's cache which makes the chip speedier and more efficient. But this component also shares some of its cache with untrusted applications, including browsers.
With these location data in hands, any attacker can read portions of the computer's memory, which they could then use to launch more complex exploits, escalate access to the complete operating system, and hijack a computer system.
The VUSec research team have published two research papers [1, 2] detailing the AnC attack, along with two video demonstration showing the attack running in a Firefox browser on a 64-bit Linux machine.
- CVE-2017-5925 for Intel processors
- CVE-2017-5926 for AMD processors
- CVE-2017-5927 for ARM processors
- CVE-2017-5928 for a timing issue affecting multiple browsers
"The conclusion is that such caching behavior and strong address space randomization are mutually exclusive," the paper concludes. "Because of the importance of the caching hierarchy for the overall system performance, all fixes are likely to be too costly to be practical."