A mechanism to bypass protection against the Specter vulnerability on Intel and AMD processors has been discovered in Linux.

Latest generations of Intel consumer and server processors, as well as AMD processors on older microarchitectures, are vulnerable to attacks using speculative execution mechanisms that bypass existing protections against the Specter vulnerability.

Image source: Damian / pixabay.com

The new vulnerability affects consumer processors Intel Core 12, 13 and 14 generations, server Xeon 5 and 6 generations, as well as AMD Zen 1, Zen 1+ and Zen 2 chips. The attack scheme discovered by researchers at the ETH Zurich allows one to bypass IBPB (Indirect Branch Predictor Barrier) protection mechanism that prevents abuse of speculative execution.

Speculative execution is a feature that optimizes the processor’s performance by executing instructions before they are even needed: if the prediction is correct, the process speeds up. The results of instructions executed based on an incorrect prediction are ignored. This mechanism forms the basis for attacks like Specter, since speculative execution can involve sensitive data that an attacker can extract from the processor cache.

Swiss scientists have confirmed the ability to intercept the results of speculative execution even after the IBPB mechanism has been triggered, that is, by bypassing existing security measures and leaking confidential information – in particular, this can be the root password hash extracted from the suid process. For Intel processors, the IBPB mechanism does not fully eliminate the result of an invalid function being executed after a context change. For AMD processors, the IBPB-on-entry method in the Linux kernel does not work correctly, which is why the results of legacy functions are not removed after IBPB.

Image source: Colin Behrens / pixabay.com

The researchers reported their discovery to Intel and AMD in June 2024. Intel responded that by that time the problem had already been discovered by the company itself – the corresponding vulnerability was assigned the number CVE-2023-38575. Back in March, Intel released a microcode update, but as researchers found, this did not fix the error in all operating systems, including Ubuntu.

AMD also confirmed the existence of the vulnerability and stated that it had already been documented and registered under the number CVE-2022-23824. At the same time, the manufacturer included the Zen 3 architecture in the list of vulnerable ones, which Swiss scientists did not note in their work. AMD characterized the error as software, not hardware; Considering that the manufacturer has known about it for a long time, and it affects only old microarchitectures, the company decided not to release a microcode update that would close the vulnerability.

Thus, both manufacturers knew about the workaround mechanism, but they noted it as potential in the documentation. Swiss scientists, however, have demonstrated that the attack works on Linux 6.5 with IBPB-on-entry protection, which is considered most effective against exploits like Specter. And since AMD refused to close it, the researchers contacted the Linux kernel developers with the intention of independently developing a patch for the “red” processors.