Intel Reveals Specter Vulnerability Still Affects AMD

The news of a new Specter BHB vulnerability that only affected processors Intel y Arm surfaced last week, and it appeared that AMD CPUs weren’t vulnerable, but Intel’s research into these new vulnerabilities uncovered another issue, and that is that one of the patches that AMD has used to fix the Specter vulnerabilities hasn’t worked since 2018. Intel and its security team, STORM, found the issue with AMD’s mitigation. In response, AMD issued a security bulletin and updated their guide to recommend using an alternative method to mitigate the Specter vulnerabilities, thus fixing the issue again.

Specter vulnerabilities allow attackers undetectable and unhindered access to information.

Among other things, attackers can steal passwords and encryption keys, giving them full access to an affected system.

Intel’s investigation of AMD’s Specter solution starts in a roundabout way: it was recently discovered that Intel processors are still susceptible to attacks based on Specter v2 via a new variant.

With all this, Intel dedicated itself to studying alternative mitigation techniques. There are several other options, but they all involve different levels of performance degradation. Intel says its partners have asked the company to consider using AMD’s LFENCE/JMP technique. With the mitigation “LFENCE/JMP” a Retpoline alternative commonly known as “AMD’s Retpoline.”.

As a result of Intel’s investigation, the company found that the mitigation that AMD has used since 2018 to patch the Specter vulnerabilities are not enough: the chips are still vulnerable. The issue affects nearly all modern AMD processors spanning nearly the entire Ryzen family for desktop PCs and laptops (2nd generation to current generation) and the EPYC family of data center chips.

INTEL:

The abstract of the article, titled “You Cannot Always Win the Race: Analyzing the LFENCE/JMP Mitigation for Branch Target Injection” ), includes three Intel authors from Intel’s STORM security team: Alyssa Milburn, Ke Sun, and Henrique Kawakami. The abstract summarizes the flaw found by the researchers quite succinctly:

“LFENCE/JMP is an existing software mitigation option for Branch Target Injection (BTI) and similar transient execution attacks derived from indirect branch predictions, which is commonly used on AMD processors. However, the effectiveness of this mitigation can be compromised by the inherent race condition between the speculative execution of the predicted target and the architectural resolution of the intended target, as this can create a window in which code can continue to execute transiently. This paper investigates the potential sources of latency that may contribute to such a speculation window. We demonstrate that an attacker can “win the race”, and thus that this window may still be sufficient to allow exploitation of BTI-style attacks on a variety of different x86 CPUs, despite the presence of the LFENCE/JMP mitigation. .”

AMD:

In response to the STORM team’s discovery and article, AMD issued a security bulletin (AMD-SB-1026) in which he states that he is not aware of any currently active exploits that use the method described in the article. AMD also instructs its customers to switch to using “one of the other released mitigations (V2-1 aka ‘generic retpoline’ or V2-4 aka ‘IBRS’)”. The company has also released updated Specter mitigation guidance reflecting these changes.

“At AMD, product security is a top priority and we take security threats very seriously. AMD follows coordinated vulnerability disclosure practices within the ecosystem, including Intel, and tries to respond quickly and appropriately to reported issues. For the aforementioned CVE, we continue our process by coordinating with the ecosystem and posting our resulting guidance on our product security website.”