New Speculative Execution Attacks Bypass Spectre Mitigations on Intel and AMD CPUs on Linux

October 18, 2024

New speculative execution attacks have been identified that circumvent existing Spectre mitigations on Intel and AMD CPUs operating on Linux. The vulnerabilities have been found to affect Intel's 12th, 13th, and 14th consumer chip generations and the 5th and 6th generation of Xeon server processors, as well as AMD's Zen 1, Zen 1+, and Zen 2 processors. These attacks compromise the Indirect Branch Predictor Barrier (IBPB), a key defense mechanism against speculative execution attacks.

Speculative execution is a feature of modern CPUs designed to enhance performance by executing instructions in advance of determining if they will be required by future tasks. This process can speed up operations when the prediction is accurate. However, instructions executed based on incorrect predictions, known as transient instructions, are discarded. This mechanism has been identified as a potential source of side-channel risks, like Spectre, as the speculation process can call up sensitive data that could be retrieved from the CPU cache.

Researchers Johannes Wikner and Kaveh Razavi from ETH Zurich have highlighted that despite extensive efforts to mitigate Spectre-like attacks over several years, numerous variants have been found that can bypass existing defenses. They have identified a cross-process attack on Intel and a PB-inception attack on AMD that can hijack speculative return targets even after the application of IBPB, thereby bypassing current protections and potentially leaking sensitive data.

On Intel processors, the attack exploits a flaw in the microcode where the IBPB does not fully invalidate return predictions after a context switch. This allows an attacker to manipulate the speculative execution of return instructions, leading to the potential leakage of sensitive information, such as the root password hash, from a suid process. On AMD processors, the application of IBPB-on-entry in the Linux kernel is flawed, allowing the return predictor to retain stale predictions even after the application of IBPB. An attacker can mistrain the return predictor before the triggering of IBPB, hijacking it to leak privileged kernel memory after the barrier.

The researchers informed Intel and AMD of these vulnerabilities in June 2024. Intel responded by stating that they were already aware of the issue, which they had internally identified and assigned the identifier CVE-2023-38575. Intel released a microcode fix via a firmware update in March, but the researchers noted that the fix has not been rolled out to all operating systems, with Ubuntu being one of them. AMD also acknowledged the vulnerability, which they had previously documented and tracked as CVE-2022-23824. However, AMD classified the issue as a software bug rather than a hardware flaw. The fact that the older architectures were affected and that AMD had known about the bug for some time may explain why the company decided not to issue corrective microcode.

Despite Intel and AMD being aware of the Spectre bypass, the companies only indicated potential impacts in their advisories. The ETH Zurich researchers demonstrated that the attack is effective even on Linux 6.5, which has IBPB-on-entry defenses that are considered the strongest against Spectre exploitation. The research team at ETH Zurich is collaborating with Linux kernel maintainers to develop a patch for AMD processors.

Latest News

• Microsoft Uncovers 'HM Surf' Vulnerability in macOS TCC Framework
• Iran's APT34 Ramps Up Espionage Using MS Exchange Servers
• Iranian Cybercriminals Act as Brokers to Sell Access to Critical Infrastructure
• Rise in Zero-Day Exploits: A Growing Threat in 2023
• Critical Vulnerability in Kubernetes Image Builder Allows Root SSH Access to VMs