New attack methods work against Spectre mitigations in modern PC CPUs
Facepalm: Spectre-based flaws are still causing some security issues in recent Intel and AMD CPUs. A newly developed attack can bypass protection “barriers” OEMs added to avoid personal data leakage. However, microcode and system updates should already be available for affected systems.
Six years ago, security researchers unveiled two new vulnerability categories affecting process execution and data protection on CPUs. Meltdown and Spectre made a considerable splash in generalist and tech-focused media, and the latter is still haunting CPU manufacturers with new “Spectre-class” flaws discovered now and then.
Two researchers at ETH Zurich in Switzerland have exposed a novel attack that can “break” the barriers implemented by Intel and AMD against Spectre-like flaws. The new study focuses on the indirect branch predictor barrier (IBPB), a protection introduced by manufacturers to shield their newer CPUs against Spectre v2 (CVE-2017-5715) and other hardware vulnerabilities of the same type.
The researchers first found a bug in the microcode for 12th-, 13th-, and 14th-gen Intel Core processors and 5th- and 6th-gen Xeon processors that bad actors could use to invalidate IBPB protection. Spectre flaws leak “secret” data filtered through branch prediction – a type of speculative execution used on modern processors to optimize computing processes and gain significant performance advantages.
Unfortunately, an attacker could theoretically bypass IBPB and still try to abuse Spectre to discover root passwords or other sensitive information. Furthermore, AMD Zen and Zen 2 processors have incorrect implementations of the IBPB protection, making it possible for someone to design a Spectre exploit that leaks arbitrary privileged memory contents, like root password hashes. Zen 3 processors could also be vulnerable, although they only discovered a “faint” signal that wasn’t clearly exploitable.
The researchers focused on Spectre exploits working on Linux operating systems since there is no way to obtain Windows or other OS source code. The security team shared details of the security issues with AMD and Intel in June 2024. However, both companies had already discovered the flaws by that time. Chipzilla released a patched microcode in March 2024 (INTEL-SA-00982), and the researchers are now advising PC users to keep their Intel-based systems up-to-date.
Zen + and Zen 2 system owners should also ensure they have the latest updates to the Linux kernel. The company published a security bulletin regarding the IBPB flaw in 2022. The researchers are now working with Linux maintainers to merge their proposed software patch.