Why should tech companies care about double fetch vulnerabilities?

Fintech companies are facing an increasing need to focus on cybersecurity. Whilst cyber-attacks are on the rise and necessitate the constant evolution of cyber-security solutions, very often the issues arise from known vulnerabilities within existing systems.

In this blog we’re exploring double fetch vulnerabilities.

The phrase 'double fetch bug' was first used by Fermin J. Serna in a post on the Microsoft Security and Defense Blog in October 2008, although the bug type had been known about for some time before this.

Double fetch vulnerabilities in C and C++ have been known about for a number of years. However, they can appear in multiple forms and can have varying outcomes.

As much of this information is spread across various sources, the whitepaper, draws the knowledge together into a single place, in order to better describe the different types of the vulnerability, how each type occurs, and the appropriate fixes.

There are two broad general types of double fetch vulnerability: those resulting from coding practices and those introduced by compiler optimization, referred to as a 'compiler introduced double fetch' below and in the whitepaper.

The two types of double fetch bug both have the same result, whereby an invariant exists involving two or more variables and one or more of these variables is modified without the invariant being enforced.

Since double fetch bugs can have varying causes, we must consider different solutions for the two different subtypes of double fetch.

  • Double fetch bugs caused from accessing shared memory may be fixed by adding a check against the second fetch, eliminating the second fetch (where practical), or performing the check in a different manner.
  • For compiler-introduced double fetches, the use of volatile variables is one possible solution to the double fetch problem.

In conclusion, double fetch bugs can result in privilege escalation vulnerabilities that can allow an attacker with a low privilege account to execute code with elevated privileges, although the exploitable vulnerabilities are a relatively small subset of these bugs.

To understand how to best protect yourself against these vulnerabilities, click here to access the full whitepaper from NCC.

Opinions

Latest News

May 26, 2021

Paysend Sets Sights on Global Expansion

July 25, 2023

Winners of the Standard Life Innovation Forum announced

June 17, 2021

Protecting your fintech against cyber-crime

August 27, 2018

Blockchain Live 2018

View all news

Categories

News Archives

Related Articles

Critique of the UK’s pro-innovation approach to AI regulation and implications for financial regulation innovation

Article written by Daniel Dao – Research Associate at the Financial Regulation Innovation Lab (FRIL),…
read more

Generative AI in the Context of UK/EU Regulation

The UK Government released its AI White Paper on March 29, 2023, outlining its plans…
read more

Navigating the Tides of Regulatory Risk: Insights from Pinsent Masons’ April 2024 Edition

The April 2024 Edition of the Pinsent Masons' Regulatory Risk Trends offers a deep dive…
read more