This week we got news of a new Specter BHB vulnerability that only affects Intel and Arm processors, but Intel's investigation into these new attack vectors reveals another issue. One of the patches AMD used to fix the Specter vulnerability has been broken since 2018. STORM, Intel's security team, discovered that there was a problem with AMD's mitigation. In response, AMD issued a security bulletin, updated its guidance, recommended the use of alternative methods to mitigate Specter's vulnerabilities, and fixed new issues.
To be on the safe side, the Specter vulnerability allows an attacker to gain undetectable access without being disturbed by the information being processed by the CPU through side-channel attacks that could be exploited remotely. In particular, an attacker can steal passwords and encryption keys, giving them full access to the affected system.
Intel's investigation into AMD's Specter fix begins in a roundabout way. Intel's processors have recently been found to be vulnerable to Spectrev2-based attacks via the new BranchHistoryInjection variant, even though they use the Enhanced Indirect Branch Restricted Speculation (eIBRS). And / or a retoporin mitigation that was thought to prevent further attacks.
Because of the need for a new Specter mitigation approach to patch a wide range of issues, Intel turned to researching alternative mitigation techniques. There are several other options, but they all have different levels of performance trade-offs. According to Intel, ecosystem partners have asked the company to consider using AMD's LFENCE / JMP technology. The "LFENCE / JMP" mitigation is an alternative to retoporin, commonly referred to as "AMD retoporin".
As a result of Intel's investigation, the company found that the mitigations that AMD has used to patch the Specter vulnerability since 2018 are inadequate and the chip is still vulnerable. This issue affects almost all modern AMD processors across almost all Ryzen families of EPYC families of desktop PCs and laptops (2nd to current generations) and data center chips.
In the summary of the paper entitled "You can't always win the competition: LFENCE / JMP mitigation analysis of branch target injection", three people from Intel's STORM security team, Alyssa Milburn, Ke Sun, and Henrique Kawakami. Intel authors are listed. The summary summarizes the bugs that researchers have found fairly concisely.
"LFENCE / JMP is an existing software mitigation option for branch target injection (BTI) and is a similar transient execution attack due to indirect branch prediction commonly used by AMD processors. Efficacy can be compromised by inherent conflicts. Conditions between the speculative execution of the predicted target and the architectural resolution of the target. This creates a window in which the code can be executed temporarily. This task investigates the potential sources of delays that can contribute to such a guess window, indicating that an attacker can "win the competition." Therefore, despite the existence of LFENCE / JMP mitigations, this window may be sufficient to exploit BTI-style attacks against a variety of different x86 CPUs. "
Intel's Strategic Attack Research and Mitigation Group (STORM) is an elite team of hackers trying to hack Intel's own chips. Learn more about.
AMD Security Breaking News
(Image credit: AMD)
In response to the STORM team's findings and dissertation, AMD has issued a security bulletin (AMD-SB-1026) indicating that it is not aware of currently active exploits using the methods described in the dissertation. AMD is also instructing customers to switch to using one of the other published mitigations (V2-1 aka "Generic Retoporin" or V2-4 aka "IBRS"). The company has also published the latest Specter mitigation guidance that reflects these changes [PDF].
AMD commented on this issue to Tom's Hardware: "At AMD, product security is a top priority and we take security threats seriously. AMD is a coordinated vulnerability in the ecosystem, including Intel. We follow gender disclosure practices and strive to respond promptly and appropriately to reports. For the above CVEs, we followed the process by coordinating with the ecosystem and publishing the resulting guidance on our product security website. . "
We asked Intel if other vulnerabilities were found in AMD's processors in the past, or if this was an isolated event. “We invest heavily in vulnerability management and offensive security research to continually improve our products. We also work with researchers and major academic institutions to find and address vulnerabilities. By doing so, we strive to bring out an outside perspective, "replied the company representative. “If we identify an issue that may affect a wider range of industries, we will follow coordinated vulnerability disclosure practices to report potential vulnerabilities to vendors, along with findings and mitigations. Will be released to. "
Security vulnerability obvio
