Security researchers have found new a new way to bypass existing hardware-based defenses for speculative execution in modern computer processors from Intel, AMD, and Arm.
Today, the three CPU manufacturers have published advisories accompanied by mitigation updates and security recommendations to tackle recently discovered issues that allow leaking of sensitive information despite isolation-based protections.
Speculative execution trouble
The speculative execution technique is designed to optimize CPU performance by running some tasks in advance (branch prediction) so the information is available when required.
In 2018, researchers discovered a way to leak information derived from these proactive computations, naming the associated vulnerabilities Meltdown and Spectre.
Since then, vendors have released software-based mitigations such as “Retpoline” that isolate indirect branches from speculative execution. Chipmakers have also addressed the issues with hardware fixes like the eIBRS from Intel and CSV2 from Arm.
Bypassing Spectre fixes
Researchers at VUSec detail in a technical report today a new method to bypass all existing mitigations by leveraging what they call Branch History Injection (BHI).
The paper underlines that while the hardware mitigations still prevent unprivileged attackers from injecting predictor entries for the kernel, relying on a global history to select the targets creates a previously unknown attack method.
A malicious actor with low privileges on the target system can poison this history to force the OS kernel to mispredict targets that can leak data.
To prove their point, the researchers also released a proof of concept (PoC), demonstrating arbitrary kernel memory leak, successfully disclosing the root hash password of a vulnerable system.
Intel responded to this finding by assigning two medium-severity vulnerabilities, CVE-2022-0001 and CVE-2022-0002, and recommending users to disable access to managed runtimes in privileged modes.
For a complete list of mitigation recommendations, check out this dedicated page, while a list of all the affected processor models is available here.
Arm has also published a security bulletin on the issue, as the novel history poisoning attack affects several of its Cortex-A and Neoverse products.
VUsec has prepared a paper on the new BHI attack that will be presented at the 31st USENIX Security Symposium this year.
In parallel news that coincide in disclosure, grsecurity has published the details and a PoC that can leak confidential data from AMD processors via a new straight-line-speculation (SLS) attack method.
This new variant of SLS affects many AMD chips based on the Zen1 and Zen2 microarchitectures, including EPYC, Ryzen Threadripper, and Ryzen with integrated Radeon Graphics.
AMD has published a list of the affected products and also a whitepaper that offers security advice for the medium-severity flaw tracked as CVE-2021-26341.
As of now, AMD has not seen any examples of active exploitation of this security vulnerability in the wild, but it’s still important to apply the recommended mitigations.