Major Processor Manufacturers Warn of Speculative Vulnerabilities
Written by Karolis Liucveikis on
Even those with the shortest memory spans will remember the saga of the Spectre and Meltdown vulnerabilities discovered in 2018 that impacted the majority of Central Processing Units (CPU) been used at the time. The saga proved a difficult one to fix, especially at the start, when companies were more focused on pointing the finger at each other for who was at fault and what seemed arbitrary requirements were set by companies that hampered anti-virus detection. Now, new vulnerabilities have been discovered and the IT community will look to see if anything was learned when Spectre and Meltdown were news.
In order to effectively patch the vulnerabilities discovered in 2018, software manufacturers applied several software patches to prevent exploitation. Chipmakers, like Intel and Arm, addressed the issues with hardware fixes like the eIBRS from Intel and CSV2 from Arm.
New research published by VUSec shows that the hardware fixes meant to isolate the issue can be bypassed through a process researchers have called Branch History Injection. Researchers noted,
“BHI (or Spectre-BHB) is a revival of cross-privilege Spectre-v2 attacks on modern systems deploying in-hardware defenses. And we have a very neat end-to-end exploit leaking arbitrary kernel memory on modern Intel CPUs to prove it (PoC||GTFO right?). We started asking ourselves if hardware Spectre-v2 mitigations (Intel eIBRS and Arm CSV2) delivered on their promises of isolating different privilege domains in speculative execution land. The answer is “kind of”. They did deliver some isolation, but the isolation is incomplete”
If correctly exploited a threat actor with low privileges on the target system can poison this history to force the OS kernel to mispredict targets that can leak data.
Researchers have provided proof of concept code that shows the successful grabbing of the targeted system's root hashed password on a system vulnerable to the attack.
Intel has responded by issuing two medium vulnerability alerts (), CVE-2022-0001 and CVE-2022-0002 respectively. To mitigate the problem Intel has advised the following,
“Intel recommends that affected Intel Processors disable access to managed runtimes in privileged modes to help prevent managed runtimes from being used as disclosure gadgets, such as unprivileged Extended Berkeley packet filter (eBPF) in kernel mode. Intel has worked with the Linux community to make this option available to all Linux users beginning in the Linux Kernel 5.16 stable version. This option is already available in some Linux distributions. Systems administrators and end users should check with their Linux vendor to determine the status of the operating system version they are using.”
Intel has further published a list of all affected processors as well as technical details related to Branch History Injection (BHI) going into far greater depth than this article.
Arm has also released a statement noting that some of its Cortex and Neo-Cortex line of processors are also susceptible to a BHI attack. Arm has noted that mitigations depend on the user’s CPU and have published a whitepaper detailing what mitigation strategy to apply. The whitepaper has been linked to the statement released by Arm.
Straight-Line-Speculation
In related news security researchers at grsecurity have discovered a new attack method that targets vulnerabilities in AMD processors. In the report published by the researchers, the attack technique has been called straight-line-speculation.
The actual report is highly technical in nature. Fortunately, AMD also published a whitepaper explaining the attack method and how it can be mitigated.
The vulnerability stems from how modern CPUs process information under high workloads without impacting performance negatively. This is done via speculative execution which enables more efficient processing of data. Regarding how this process can be abused to carry out a malicious attack AMD notes,
“This speculative behavior is not limited to loads and can occur with speculative store instructions that can speculatively store information beyond the bounds check memory address. This data can then be speculated on by subsequent load instructions that happen to match the out of bounds address. This store variant adds the possibility of injecting attacker-controlled data into the speculative control flow leading to a potential increased
exposure to speculative gadgets.”
AMD further noted that there are another two software-related techniques that can be used to abuse the speculative execution processes.
All of which AMD has published mitigations for. It was discovered that the new attack method affects many AMD chips based on the Zen1 and Zen2 microarchitectures, including EPYC, Ryzen Threadripper, and Ryzen with integrated Radeon Graphics.
AMD has published a full list of affected processors and users are advised to follow the mitigation strategies published in the subsequent whitepaper. It is also important to note that AD has seen no active exploitations of the vulnerability in the wild and the vulnerability is regarded as medium in terms of severity.
While the flaws discussed in the article above are nowhere near as earth-shattering as Spectre and Meltdown, it does appear that chipmakers have learned from previous mistakes in handling discovered vulnerabilities in their hardware.
All three manufacturers involved not only quickly resolved the flaws discovered by third parties but also published vital information to consumers educating them as to the nature of the flaw and how to mitigate its exploitation.
▼ Show Discussion