Jump to content
  • Intel, AMD, Arm warn of new speculative execution CPU bugs


    • 3 minutes

    • 3 minutes

    Security researchers have found new a new way to bypass existing hardware-based defenses for speculative execution in modern computer processors from Intel, AMD, and Arm.


    Today, the three CPU manufacturers have published advisories accompanied by mitigation updates and security recommendations to tackle recently discovered issues that allow leaking of sensitive information despite  isolation-based protections.

    Speculative execution trouble

    The speculative execution technique is designed to optimize CPU performance by running some tasks in advance (branch prediction) so the information is available when required. 


    In 2018, researchers discovered a way to leak information derived from these proactive computations, naming the associated vulnerabilities Meltdown and Spectre.


    Since then, vendors have released software-based mitigations such as “Retpoline” that isolate indirect branches from speculative execution. Chipmakers have also addressed the issues with hardware fixes like the eIBRS from Intel and CSV2 from Arm.

    Bypassing Spectre fixes

    Researchers at VUSec detail in a technical report today a new method to bypass all existing mitigations by leveraging what they call Branch History Injection (BHI).


    The paper underlines that while the hardware mitigations still prevent unprivileged attackers from injecting predictor entries for the kernel, relying on a global history to select the targets creates a previously unknown attack method.


    A malicious actor with low privileges on the target system can poison this history to force the OS kernel to mispredict targets that can leak data.


    To prove their point, the researchers also released a proof of concept (PoC), demonstrating arbitrary kernel memory leak, successfully disclosing the root hash password of a vulnerable system.



    Intel responded to this finding by assigning two medium-severity vulnerabilities, CVE-2022-0001 and CVE-2022-0002, and recommending users to disable access to managed runtimes in privileged modes.


    For a complete list of mitigation recommendations, check out this dedicated page, while a list of all the affected processor models is available here.


    Arm has also published a security bulletin on the issue, as the novel history poisoning attack affects several of its Cortex-A and Neoverse products.


    VUsec has prepared a paper on the new BHI attack that will be presented at the 31st USENIX Security Symposium this year.


    In parallel news that coincide in disclosure, grsecurity has published the details and a PoC that can leak confidential data from AMD processors via a new straight-line-speculation (SLS) attack method.


    This new variant of SLS affects many AMD chips based on the Zen1 and Zen2 microarchitectures, including EPYC, Ryzen Threadripper, and Ryzen with integrated Radeon Graphics.


    AMD has published a list of the affected products and also a whitepaper that offers security advice for the medium-severity flaw tracked as CVE-2021-26341.


    As of now, AMD has not seen any examples of active exploitation of this security vulnerability in the wild, but it’s still important to apply the recommended mitigations.



    Intel, AMD, Arm warn of new speculative execution CPU bugs

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...