{"id":47519,"date":"2022-07-14T10:50:00","date_gmt":"2022-07-14T10:50:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/new-speculative-execution-attack-retbleed-impacts-intel-and-amd-cpus\/"},"modified":"2022-07-14T10:50:00","modified_gmt":"2022-07-14T10:50:00","slug":"new-speculative-execution-attack-retbleed-impacts-intel-and-amd-cpus","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/new-speculative-execution-attack-retbleed-impacts-intel-and-amd-cpus\/","title":{"rendered":"New speculative execution attack Retbleed impacts Intel and AMD CPUs"},"content":{"rendered":"
<\/div>\n

Researchers have discovered a new attack technique that exploits the speculative execution feature of modern CPUs to leak potentially sensitive information from the kernel’s memory. The attack circumvents some of the software defenses some operating systems put in place to prevent previous exploits of this nature.<\/p>\n

The attack, dubbed Retbleed<\/a> by researchers from Swiss university ETH Zurich, works against both Intel and AMD CPUs. On Intel it’s tracked as CVE-2022-29901 and impacts CPU generations 6, 7 and 8 although to different extents and depending on the mitigations used by the operating system. On AMD it’s tracked as CVE-2022-29900 and impacts AMD Zen 1, Zen 1+ and Zen 2 CPUs.<\/p>\n

What is Retbleed?<\/strong><\/h2>\n

Retbleed falls in the same class of attacks as Spectre<\/a>, an attack announced in January 2018 that kicked off several years of academic research into security issues related to speculative execution, a mechanism that modern CPUs use to increase performance. Speculative execution is a CPU feature that uses internal algorithms to attempt to guess in advance the path a program’s execution will take when it will reach a conditional branch in the code. The goal is to execute instructions down the predicted path in advance and store the results, which can include sensitive information, in CPU caches temporarily to serve them when and if the program’s execution flow needs them. If the prediction proves to be incorrect, the results are discarded.<\/p>\n

With the Spectre class of attacks, researchers proved that malicious code can use various techniques to intentionally guide CPUs to execute code paths that would reveal sensitive information and then extract that information from caches using side-channel techniques<\/a>. Since 2018 researchers have discovered many variations of Spectre<\/a>, using different methods to force mispredictions.<\/p>\n

Intel and AMD responded by adding hardware-based mitigations: indirect branch restricted speculation (IBRS) and later enhanced indirect branch restricted speculation (eIBRS) for Intel and CSV2 for AMD. Meanwhile Google researchers proposed a software-based mitigation technique called retpoline<\/a> that was adopted by some operating system and hypervisor vendors.<\/p>\n

“Unlike its siblings, who trigger harmful branch target speculation by exploiting indirect jumps or calls, Retbleed exploits return instructions,” the ETH Zurich researchers said in their report. “This means a great deal, since it undermines some of our current Spectre-BTI defenses.”<\/p>\n