Intel CPUs have been subjected to several significant security vulnerabilities in recent years, namely Meltdown and Spectre. Now, the latter has made an appearance once again.
As reported by Tom’s Hardware and Phoronix, security research group VUSec and Intel confirmed the existence of a new speculative execution vulnerability labeled branch history injection (BHI).
Classified as a by-product of Spectre V2, BHI is a proof-of-concept exploit capable of leaking arbitrary kernel memory on Intel CPUs. As a result, sensitive data such as passwords can be extracted. Intel processors released in the past few years, which includes its latest 12th-generation Alder Lake processors, are said to be affected.
Certain ARM silicon have also been found to be vulnerable to the exploit. As for AMD CPUs, security researchers initially found that they remain immune to potential BHI attacks. However, there have been some developments in this area that appear to suggest otherwise.
“The LFENCE-based mitigation is deemed no longer sufficient for mitigating Spectre V2 attacks. Now the Linux kernel will use return trampolines “retpolines” by default on all AMD processors,” Phoronix explained. “Various AMD CPUs have already defaulted to using Retpolines for Spectre V2 mitigations, while now it will be the default across the board for AMD processors.”
Vusec provided further insight into how the exploit can find its way through mitigations that are already in place. While hardware mitigations prevent an attacker from injecting predictor entries for the kernel, they can still make use of a global history in order to select target entries to speculatively execute. “And the attacker can poison this history from Userland to force the kernel to mispredict to more “interesting” kernel targets (i.e., gadgets) that leak data,” the report added.
Intel has published a list of CPUs affected by the exploit, confirming that several generations of chips ranging back to 2013 (Haswell) can be infiltrated, including Coffee Lake, Tiger Lake, Ice Lake, and Alder Lake. Ice Lake servers were also mentioned on the list.
Chips from ARM, including Neoverse N2, N1, V1, Cortex A15, A57, and A72, have all been found to be impacted as well. Depending on the system on a chip, the chip designer is issuing five different mitigations.
Intel is expected to release a software patch to address the new Spectre-based BHI exploit. In the interim, the chipmaker provided Phoronix with a statement on BHI in regard to its impact on Linux systems:
“The attack, as demonstrated by researchers, was previously mitigated by default in most Linux distributions. The Linux community has implemented Intel’s recommendations starting in Linux kernel version 5.16 and is in the process of backporting the mitigation to earlier versions of the Linux kernel.”
When Spectre and Meltdown were originally discovered as a CPU vulnerability in 2018, lawsuits began to be filed against Intel, alleging the company knew about the flaws but kept silent about them while still selling the silicon in question. As pointed out by Tom’s Hardware, by mid-February 2018, a total of 32 lawsuits were filed against Team Blue.
Intel recently introduced an expansion of its existing Bug Bounty program with Project Circuit Breaker, an initiative directed toward recruiting “elite hackers.” Discovering bugs in firmware, hypervisors, GPUs, chipsets, and other areas could result in a financial windfall for participants, with payouts potentially reaching the six-figure range.
