Researchers from Graz University of Technology disclosed details about NetSpectre, a new Spectre-class attack that can be exploited over a network. This new strain seems to have a potentially larger impact than previous Spectre vulnerabilities, as it enables attackers to remotely read memory without running any code on the target system.
ARS Technica has some in-depth coverage, but it doesn't seem like NetSpectre is easy to exploit, particularly because it's a very slow attack. This makes it only suitable for high-value targets.
These data rates are far too slow to extract any significant amount of data; even the fastest side channel (AVX2 over the local network) would take about 15 years to read 1MB of data. They might, however, be sufficient for highly targeted data extraction; a few hundred bits of an encryption key, for example. The cache side channel can be used to leak memory addresses, which in turn can be used to defeat the randomized memory addresses used by ASLR (address space layout randomization). Leaking a memory address to defeat ASLR took about two hours. With this memory address information, an attacker would be able to more easily attack other exploitable flaws of a remote system.
In a statement to the press, Intel downplays the issue:
NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner – through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate. We provide guidance for developers in our whitepaper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, & Stefan Mangard of Graz University of Technology for reporting their research.