Iranian researcher found a dangerous vulnerability in Intel and AMD processors
According to The Register, older Intel and AMD chips are vulnerable to a cyberattack based on the Specter security bug, which targets the Speculative Execution technique. Today’s processors use this technique to optimize performance. Investigations show that the new vulnerability exposes kernel memory data even with security features enabled. Countering this side-channel attack is expected to affect processor performance.
Johannes Wickner And Kaveh RazaviFrom The researchers of the Federal Institute of Technology Zurich (ETH Zurich) have mentioned the cyber attack based on the mentioned vulnerability with the term “Retbleed” in a scientific article. Retbleed is a new member of the Spectre-BTI (Type II) family of vulnerabilities, the two researchers say. These vulnerabilities are based on the Speculative Execution technique in processors, and hackers go to the BTI method to exploit them.
According to the researchers, the hacker targets the “branch prediction unit” in the processor through the Retbleed vulnerability, and by manipulating this unit, they determine which processing operation to execute. By relying on the branch prediction unit, the hacker obtains data that should normally be protected.
In simpler terms, security software containing malware could theoretically gain access to memory they are not authorized to access by relying on the Retbleed vulnerability. As a result, malware may gain access to information such as operating system kernel data and passwords and cryptographic keys.
Operating systems and applications usually host many vulnerabilities that help malware achieve its goals, and Retbleed is one such example. Also, these vulnerabilities allow the hacker to social engineer the user to break into the system. Researchers say that if no action is taken to deal with Specter and similar security bugs, hackers will probably succeed in exploiting them and organizing dangerous cyber attacks.
If you use a virtual machine based on public cloud servers, you should be aware of Retbleed; Because, according to security engineers, other cloud server clients may see information about the virtual machine or the data in it through Retbleed.
In those Intel processors that are affected by the vulnerability, a hacker could theoretically extract a quarter of a kilobyte of data from kernel memory per second. It should be mentioned that in AMD processors, a hacker can extract four kilobytes of data every second.
In their scientific article, Johannes Vikner and Kaveh Razavi say that Retbleed, unlike other attacks based on Speculative Execution technique, goes for a new solution and bypasses some of the current security capabilities that have been developed to deal with Spectre-BTI vulnerabilities. Various methods such as KPTI and Retpoline are used to deal with Spectre-BTI vulnerabilities. Researchers say that since Retbleed relies on recursive instructions, Retpoline is practically bypassed.
Researchers at the Federal Institute of Technology Zurich say they discovered the Retbleed vulnerability while studying the behavior of the processor’s branch prediction unit when dealing with indirect branches. Johannes Wikner and Kaveh Razavi have realized that it is theoretically possible for a hacker to hijack a specific group of return instructions in Intel processors. Regarding AMD processors, the researchers clearly state that by taking actions, all return instructions can be hijacked.
Researchers say AMD’s old architectures are based on the JMP system and are vulnerable to attack. According to Johannes Wikner and Kaveh Razavi, JMP expands Retbleed’s attack surface; But exploiting it to launch an attack is more difficult.
Since Retbleed has been seen in old processors, it does not threaten the system of many users. However, people still using older processors should be careful. According to researchers, AMD’s Zen 1, Zen 1+, and Zen 2 architectures and Intel’s 6th to 8th generation processors are vulnerable to the attack. The latest AMD Zen 2 processor has been launched in 2021 and the latest 8th generation Intel processor in 2019.
Johannes Vikner and Kaveh Razavi say:
Zen 3 processors have been out for a little over a year now, and all processors prior to this architecture are vulnerable. We don’t know what percentage of AMD processors are affected by Retbleed at this time; But we think that a huge part of the processors being produced by this company are affected by the vulnerability; Because the lifespan of servers is usually between three and five years.
In the continuation of the article by two researchers of the Federal Institute of Technology in Zurich, we read:
It’s harder to speculate about Intel’s Skylake series processors; Because these processors were launched a few years ago. Newer Intel processors up to the 12th generation Alder Lake family are also vulnerable to Retbleed via BHI. BHI is another vulnerability discovered earlier this year; Of course, exploiting this vulnerability is more difficult.
Both Intel and AMD have made their new processing architectures more advanced and safer to make such cyber attacks more difficult. The researchers say that the eIBRS system in new Intel processors, which is enabled by default, makes it very difficult to hijack kernel return instructions. AMD’s Zen 3 architecture is also more focused on security features.
Researchers have examined the virtual machines of Amazon and Google companies. They say T3 virtual machines equipped with Intel Xeon Platinum 8000 or Skylake-SP or Cascade Lake processors and T3a equipped with AMD EPYC 7000 processors and M5 equipped with Intel Xeon Platinum 8175M Skylake processors and M5a equipped with AMD EPYC 7000 processors are likely to be vulnerable. Needless to say, Google’s N1, N2D, T2D, E2, C2D and M1 virtual machines are also vulnerable.
According to the researchers, the release of an update to fix the Retbleed vulnerability may have a negative impact on processor performance between 13 and 39 percent. They say that members of the Linux kernel team will likely develop the necessary security packages and make them available to Intel and AMD. Researchers use CVE-2022-23816 and CVE-2022-23825 and CVE-2022-29900 to refer to Retbleed vulnerability in AMD processors and CVE-2022-29901 and CVE-2022-28693 in Intel processors.
A person representing Intel has announced in an interview with The Register that the Windows operating system is resistant to Retbleed; Because it has the necessary security features by default. Intel and AMD say there is no evidence that hackers have exploited Retbleed. These two separate companies have detailed the vulnerabilities of their processors in specialized articles.
Johannes Wikner and Kaveh Razavi advise all users to install the latest device operating system updates as soon as they are released. Also, they recommend that users do not store sensitive information in virtual machines based on public servers.