Researchers have discovered a new Speculative execution attack called Retbleed, which affects both Intel and AMD processors that can result in information disclosure vulnerability. CVE-2022-29900 (AMD) is the tracking identifier for AMD, while CVE-2022-29901 (Intel) is the tracking identifier for Intel. By using a vulnerability management tool, we can obtain the active exploitation of this vulnerability. However, the new Spectre version (Speculative execution attack) can get through the kernel’s retpoline mitigation and leak unfair data. Reptoline manages how the CPU performs assume when “jmp” and “call” are executed. Under specific microarchitecture-dependent circumstances, an attacker with poor user access can hijack return instructions to perform arbitrary speculative code execution.
Attacks can exploit this vulnerability when launching an attack from the local network, as proofs of concepts (POCs) are available. The vulnerability is called “Retbleed.” Retpoline made available a software-based solution. Intel has published a security bulletin. AMD has also published a security advisory. Patch management software can be a great way to mitigate this vulnerability.
Exploitation Details of Retbleed
Retbleed attempts to hijack a return instruction in the kernel to execute arbitrary speculative code in the kernel context. The attacker can leak any kernel data if they have enough control over registers and memory at the victim’s return instruction.
The attackers’ basic idea is to force statements to be predicted as indirect branches, thus bypassing Retpoline’s protections. They consider return instructions as an attack channel for speculation execution.
Retbleed Affected Versions
- AMD microprocessor families 15h to 18h.
- Intel microprocessor generations 6 (Skylake – 2015) to 8 (Coffee Lake – 2017).
Solution
- AMD introduced Jmp2Ret to address this vulnerability.
A software-based solution called Jmp2Ret prevents an attacker-controlled BTB entry from ever being used to forecast privileged “ret” instructions, which lessens the risk of BTC-RET.
- Intel advises utilizing enhanced Indirect Branch Restricted Speculation (eIBRS) to address the potential issue, even though Retpoline has fixed this issue.
IBRS is pre-installed on Windows systems, thus an update is not necessary.
- Retpoline has introduced a software-based solution to defend against speculative execution threats by isolating indirect branches via return operations.
We strongly recommend deploying security updates to patch these vulnerabilities at the earliest.
Use SanerNow and keep your systems updated and secure.