A research team in Switzerland has found a new variant of the nasty speculative execution vulnerabilities that have plagued some Intel and AMD chips and developed a practical attack that allows an unprivileged attacker to leak sensitive in-memory information from locations it shouldn’t be able to access. . The flaw, known as Retbleed, affects numerous Intel and AMD chips running on machines using any current operating system.
The team that discovered the vulnerability alerted chipmakers several months ago, as well as affected software makers, such as Microsoft, Oracle, Linus and others. Intel and AMD have released patches to address the issue, but the risk remains, as the most severe attack vector is likely through cloud platforms such as Azure, AWS, and Google Cloud Platform, which leverage a massive number of servers. The effect of exploiting Retbleed is similar to that of Meltdown, one of the oldest speculative execution bugs: an attacker could access sensitive data in a processor’s cache.
“I think companies running infrastructure in the cloud can be at risk of cross-tenant attacks. But there may be other attack vectors that I don’t think of. The one we demonstrate is the most obvious case, but other relevant threat models like trusted execution environments,” said ETH Zurich PhD student Johannes Wikner, who authored a paper on Retbleed with Kaveh Rzavi, a computer security professor at the university.
“Because of the degraded performance of many of these systems, companies that allow users to run untrusted code on their infrastructure are likely considering upgrading their hardware or finding ways to avoid running workloads from different clients at the same time on the same machine. These are cloud hosting providers and CI/CD service providers. »
Flaws such as Retbleed, Meltdown, and Specter are related to the way some modern processors execute instructions out of order. Known as speculative execution, this process is designed to speed up computation by guessing which instructions the processor will need to execute, rather than simply following an ordered list of instructions. Vulnerabilities are hard to find and exploit, but successful exploitation is usually invisible to targets. Re-bleeding affects Generation 6-8 Intel processors (CVE-2022-29901) and AMD Families 3pm-6pm (CVE-2022-29900).
“This vulnerability occurs in microprocessors that execute computer program instructions and perform corresponding calculations. In some cases, processors – namely central processing units (CPUs) – also perform special calculations that shorten computing time and speed up the overall computing process,” the researchers said in a statement. advisory.
“We have proven that in this scenario, the security guarantees imposed by the operating system can be violated.”
“In doing so, they leave traces in memory that hackers could exploit to gain unauthorized access to any system information – for example, they could steal encryption keys or security-related passwords. This is especially risky in cloud environments where multiple companies share computer systems.
ETH Zurich researchers looked at several different attack vectors and, in their experiments on Linux systems, assumed that the attacker was an unprivileged user. The attacker would need to know the Linux kernel version running on the target machine and what the microarchitecture of the processor is.
“We have proven that in this scenario, the security guarantees imposed by the operating system can be violated, and the unprivileged user (or attacker) can infer memory from all other programs running on the machine, including the operating system itself,” Wikner said.
“If this security boundary can be violated, then with little change an attacker in the cloud may very well be able to leak arbitrary memory from the cloud host. In that case, they may leak information from other customers who use the same physical machine. In the cloud, our servers share hardware with strangers. Simply put, Retbleed threatens cloud security on top of the demonstrated exploits.”
Some of the previous speculative runtime flaw research has involved theoretical attacks, but ETH Zurich researchers have developed a working attack on Retbleed.
“Side-channel attacks such as retbleed are stealthy in the sense that they do not directly access information but leak it through CPU caches. For vulnerable systems, the impact is comparable to Meltdown,” Wikner said.