New Intel CPU Exploit BoundHook

A new post-intrusion technique, named BoundHook, has been developed targeting all Intel Central Processing Units (CPUs) with the Skylake processor or newer.

Threat ID:: CC-1714
Category:: Exploit
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 20 October 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new post-intrusion technique, named BoundHook, has been developed targeting all Intel Central Processing Units (CPUs) with the Skylake processor or newer.

Threat details

This technique allows attackers to exploit the BOUND function calls that pass between software components within the Memory Protection Extension (MPX). Once exploited, the attacker can execute code from any process and bypass antivirus software and other security measures. BoundHook requires access to the device and is only executable with administrative privileges so a privilege escalation exploit must occur beforehand.

BoundHook is similar to the proof-of-concept attack called GhostHook. It is not a vulnerability, but a method to avoid detection on an already compromised machine. There are a number of mitigations available.

Remediation steps

Type	Step
	Administrative accounts should be heavily regulated with little use as possible. Administrative accounts should not be used for day-to-day tasks and only accessed when required. Regular patching of systems should be made. Antivirus and security detection software should be implemented to stop the initial access required for this vulnerability to be exploited.

Last edited: 17 February 2020 11:36 am