A new Speculative execution attack is discovered that affects both Intel and AMD processors that can result in information disclosure vulnerability, and it is tracked as CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel). There is no information available about the active exploitation of this vulnerability. The new Spectre version (Speculative execution attack) can get through the kernel’s retpoline mitigation and leak arbitrary data. Reptoline is used to manage how the CPU performs speculation when “jmp” and “call” are being executed. Under specific microarchitecture-dependent circumstances, an attacker with unprivileged user access can hijack return instructions to perform arbitrary speculative code execution.
Proofs of concepts (POCs) are available, and exploiting this vulnerability is possible when an attack is launched from the local network. The vulnerability is called “Retbleed.” Retpoline made available a software-based solution. Intel has published a security bulletin. AMD has also published a security advisory.
Retbleed attempts to hijack a return instruction in the kernel to execute arbitrary speculative code in the kernel context. The attacker can leak any kernel data if they have enough control over registers and memory at the victim’s return instruction.
The basic idea is to force statements to be predicted as indirect branches, essentially eliminating Retpoline’s protections, and to regard return instructions as an attack channel for speculation execution.
- AMD microprocessor families 15h to 18h.
- Intel microprocessor generations 6 (Skylake – 2015) to 8 (Coffee Lake – 2017).
- AMD introduced Jmp2Ret to address this vulnerability.
A software-based solution called Jmp2Ret prevents an attacker-controlled BTB entry from ever being used to forecast privileged “ret” instructions, which lessens the risk of BTC-RET.
- Intel advises utilizing enhanced Indirect Branch Restricted Speculation (eIBRS) to address the potential issue, even though Retpoline has fixed this issue.
IBRS is pre-installed on Windows systems, thus an update is not necessary.
- Retpoline has introduced a software-based solution to defend against speculative execution threats by isolating indirect branches via return operations.
It is strongly recommended to deploy security updates to patch these vulnerabilities at the earliest.
Use SanerNow and keep your systems updated and secure.