New Spectre-v2 vulnerability

Meltdown and Spectre are vulnerabilities in modern computers that can be used to leak passwords and sensitive data. Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer.

The vulnerabilities were found in 2017 by several researches, but were kept secret to give time for CPU and software makers time to try to find fixes to them. Details of Meltdown and Spectre vulnerabilities leaked to the public in the beginning of January 2018 (that was some weeks before planned publication date of the info).

I was active on reporting on those vulnerabilities when they came out. I wrote news article Suorittimissa tietoturvaongelmia – myös ARM-suorittimissa to Uusiteknologia.fi magazine in Finnish (believed to be first news on this topic in Finnish language published in magazine/newspaper). I also immediately wrote to this blog a posting ‘Kernel memory leaking’ Intel processor design flaw.

spectre

Many years have passed, and the original Meltdown and Spectre have been pretty much fixed. When the Spectre vulnerability was found, the most dangerous variant was called Spectre v2 or Spectre BTI (Branch Target Injection). Affected CPU makers, such as Intel and Arm, have been developing hardware mitigations to prevent these types of exploits. Processor makers made fixes to hardware, operating systems were changes how they do certain things and even application software was updated so that they would work safer on somewhat unsafe processor environment (for example web browsers were made to be safer).

Since the disclosure of the Spectre and Meltdown vulnerabilities back in January 2018, researchers have continued looking into the security of processors and they have found several other side-channel attack methods. There has been also some new similar issues found over years, but none of them have been nearly as high deal as the original findings.

Now it seems that Spectre vulnerability has made a quite strong comeback: Spectre V2 vulnerability strikes again in Intel Alder Lake & Arm CPUs. Branch History Injection (BHI), a new flavor of the Spectre-v2 vulnerability that affects both new and old Intel processors and specific Arm models, recently came to light. “The mitigations [implemented by Intel and Arm] work as intended, but the residual attack surface is much more significant than vendors originally assumed,” the researchers explained.

A team of researchers from the Vrije Universiteit Amsterdam in the Netherlands has demonstrated a new Spectre attack variant that can bypass hardware mitigations implemented in recent years by Intel and Arm. VU Amsterdam researchers this week disclosed the details of what they have described as an “extension of Spectre v2.” The new variant, dubbed Branch History Injection (BHI) and Spectre-BHB, bypasses those hardware mitigations. Another slightly different variant uncovered by the researchers is called Intra-mode BTI (IMBTI). Rhey described as a “neat end-to-end exploit leaking arbitrary kernel memory on modern Intel CPUs.”

They have also released a video showing the exploit in action.

VUSec security research group and Intel have revealed another Spectre-class speculative execution vulnerability called branch history injection, or BHI. The new exploit impacts all Intel processors released in the last several years and specific Arm core processors. Intel processors affected include the most recent 12th Gen Core Alder Lake CPUs. BHI is a proof-of-concept attack affecting vulnerable CPUs open to Spectre V2 exploits.

VUSec reports that BHI enables cross-privilege Spectre-v2 exploits, allowing kernel-to-kernel (intra-mode BTI) exploits and permitting attackers to place predictor entries into the global branch prediction history make kernel leak data. The result of the attack leaks arbitrary kernel memory on specific CPUs and could reveal hidden data such as passwords.

Surprisingly, AMD chips have shown no effect from this vulnerability at this time from this vulnerability. AMD processors do not appear to be affected by Spectre-BHB. However, researchers at grsecurity this week disclosed the details of a vulnerability affecting AMD CPUs. The issue, tracked as CVE-2021-26341, is related to speculative behavior of branch instructions, and it can result in data leakage. AMD has published an advisory for CVE-2021-26341, as well as a white paper detailing software techniques for managing speculation on its processors.

Vulnerable processors:

Branch History Injection (BHI), a new flavor of the Spectre-v2 vulnerability that affects both new and old Intel processors and specific Arm models, recently came to light. The new exploit impacts all Intel processors released in the last several years and specific Arm core processors.
Security researchers have found new a new way to bypass existing hardware-based defenses for speculative execution in modern computer processors from Intel, AMD, and Arm. Today, the three CPU manufacturers have published advisories accompanied by mitigation updates and security recommendations to tackle recently discovered issues that allow leaking of sensitive information despite isolation-based protections.

Intel reports that the company’s processors starting with Haswell (introduced in 2013) and spread to the recent Ice Lake-SP and Alder Lake CPUs. Intel processors affected include the most recent 12th Gen Core Alder Lake CPUs. Intel has published an advisory and a technical document describing the new vulnerabilities, which the chipmaker tracks as CVE-2022-0001 and CVE-2022-0002. The flaws have been assigned a severity rating of “medium.” Intel will release a security patch to mitigate the exploit.

Arm cores, such as the company’s Cortex A15, A57, A72, Neoverse V1, N1, and N2, are reported to be affected. The company will also introduce five mitigations for their affected core series. It is currently unknown if custom series, such as the cores from Qualcomm using Arm’s technology, are affected by the new exploit.

Researchers at grsecurity this week disclosed the details of a vulnerability affecting AMD CPUs. The issue, tracked as CVE-2021-26341, is related to speculative behavior of branch instructions, and it can result in data leakage. AMD has published an advisory for CVE-2021-26341, as well as a white paper detailing software techniques for managing speculation on its processors.

Mitigrations:

Client and server machines should not be affected as long as those machines have the installed needed patches.
Security researchers advise disabling unprivileged eBPF support to increase precaution from the attack.

Linux systems have received mitigations for Spectre-BHB / BHI on Intel & Arm-based systems. There were added security measures for AMD systems that could potentially be affected. The Linux community has implemented Intel’s recommendations starting in Linux kernel version 5.16 and is in the process of backporting the mitigation to earlier versions of the Linux kernel.

Intel CPUs Suffer Performance Hit From New Spectre-v2 Mitigations article says that Linux publication Phoronix conducted testing that shows the new BHI mitigations could produce severe performance penalties up to 35%.

It seems that AMD fix takes less CPU power. AMD CPUs See Less Than 10% Performance Drop From Revised Spectre-v2 Mitigations

Sources and links to more material:

Spectre V2 vulnerability strikes again in Intel Alder Lake & Arm CPUs, AMD chips unharmed
https://wccftech.com/spectre-v2-vulnerability-strikes-again-in-intel-alder-lake-arm-cpus-amd-chips-unharmed/

https://www.phoronix.com/scan.php?page=news_item&px=BHI-Spectre-Vulnerability

https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb

https://www.vusec.net/projects/bhi-spectre-bhb/

New Variant of Spectre Attack Bypasses Intel and Arm Hardware Mitigations
https://www.securityweek.com/new-variant-spectre-attack-bypasses-intel-and-arm-hardware-mitigations

https://www.securityweek.com/new-variant-spectre-attack-bypasses-intel-and-arm-hardware-mitigations

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html

https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html

Arm has published an advisory, as well as an FAQ, a knowledge base article, and a paper describing the vulnerability and mitigations. Arm tracks the Spectre-BHB vulnerability as CVE-2022-23960.
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb
https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before

https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1026

Intel, AMD, Arm warn of new speculative execution CPU bugs
https://www.bleepingcomputer.com/news/security/intel-amd-arm-warn-of-new-speculative-execution-cpu-bugs/

https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html.

https://www.amd.com/system/files/documents/software-techniques-for-managing-speculation.pdf

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb

The AMD Branch (Mis)predictor Part 2: Where No CPU has Gone Before (CVE-2021-26341)
https://grsecurity.net/amd_branch_mispredictor_part_2_where_no_cpu_has_gone_before

Intel CPUs Suffer Performance Hit From New Spectre-v2 Mitigations
https://www.tomshardware.com/news/intel-cpus-performance-hit-spectre-v2-migitations

AMD CPUs See Less Than 10% Performance Drop From Revised Spectre-v2 Mitigations
https://www.tomshardware.com/news/amd-cpus-see-less-than-10-performance-drop-from-revised-spectre-v2-mitigations

12 Comments

  1. Tomi Engdahl says:

    Linus Torvalds ponders limits of automation as kernel release delayed
    Spectre-like flaw has made an eighth release candidate necessary
    https://www.theregister.com/2022/03/14/linux_5_17_rc8/

    Linux kernel development boss Linus Torvalds’s prediction that Linux 5.17 would be released this week “unless something surprising comes up” has come to pass. Not in the good way.

    The surprise was CVE-2021-26341: some AMD processors were found to have new Spectre-Meltdown-like speculative execution issues. AMD said, due to a design flaw, its processors “may transiently execute instructions following an unconditional direct branch that may result in detectable cache activity.” That is to say, it’s possible to leak or extract data from another thread using cache access as a side channel, a la Spectre and Meltdown.

    While the flaw was rated just 4.7/10 on the CVSS scale and AMD could not find any active exploitation, the chip house warned the problem is present in 14 Ryzen processors and first- and second-gen Epyc silicon for servers.

    The issue was picked up in October 2021 and detailed by Grsecurity, which after disclosure worked to deliver a fix by February 8 but later agreed to an extended deadline of March 8.

    Torvalds said the patches that arrived for the kernel ahead of the March deadline “were mostly fine” and the flaw “was not one of the ‘big disaster’ hw speculation things.” But the embargo meant that automated testing found “a (small) flurry of fixes for the fixes.”

    Release candidate 8 also includes what Torvalds described as “a couple of mislaid patches that had been on the regression list.”

    The signs are therefore very good for a March 20 debut for version 5.17 of the kernel, which lays the groundwork for Intel’s Raptor Lake processors among many other enhancements.

    Reply
  2. Tomi Engdahl says:

    AMD Strategy For Spectre V2 Vulnerability Noted As “Inadequate”, Up To 54% Drop In CPU Performance
    https://wccftech.com/amd-strategy-spectre-v2-vulnerability-inadequate-54-percent-drop-in-cpu-performance/#aoh=16473521807041&referrer=https%3A%2F%2Fwww.google.com&amp_tf=Julkaisija%3A%20%251%24s&ampshare=https%3A%2F%2Fwccftech.com%2Famd-strategy-spectre-v2-vulnerability-inadequate-54-percent-drop-in-cpu-performance%2F

    Intel and Arm processors were hit this last week by the Spectre V2 vulnerability, the Branch History Injection, or BHI. The Spectre exploit originated several years ago, but this new line of mitigation has had a significant effect on the two chip manufacturers. AMD has a much different design to their chips, allowing them to avoid harm this week. However, three security researchers from Intel have recently written a white paper outlining AMD’s chipset having code exposures. In review, AMD has now issued a new security bulletin to reflect the new efficiency for keeping their product safe.

    AMD is moving forward with a “generic” Retpoline approach to fix insufficient procedures to ward off BHI vulnerability
    The initial Spectre and Meltdown flaws discovered in December 2017 outline issues with Intel’s chip designs, which were found by four separate research teams and reported to the leading company around the same time frame.

    Reply
  3. Tomi Engdahl says:

    The Performance Impact Of AMD Changing Their Retpoline Method For Spectre V2
    https://www.phoronix.com/scan.php?page=article&item=amd-retpoline-2022&num=1

    Reply
  4. Tomi Engdahl says:

    Stupid Spectre exploit.

    Linux Kernel 5.17 Delayed by a Week to Tackle Spectre v2 Exploit
    https://news.itsfoss.com/linux-kernel-5-17-spectre-delay/

    With last-minute Spectre fixes, Linux Kernel 5.17 release was delayed while restarting the automated testing process.

    Linux Kernel 5.17 was scheduled to release the previous day (Sunday).

    Unfortunately, (or for better), Spectre V2, another variant of the Spectre vulnerability affecting the processors, was discovered.

    But, what is the Spectre v2 vulnerability affecting the chips? Is it essential for the Linux Kernel 5.17 to include a fix?

    Linux Kernel 5.17 Delayed
    While the fixes for Spectre attacks made their way to the Linux Kernel 5.17, the automation testing in place needs time.

    With the announcement of Linux Kernel 5.17 release candidate 8, Linus Torvalds mentions that the patches were “mostly fine” with some more fixes added. However, it is best to go through all the automated tests to make sure everything’s fine with the release

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*