A research team in Switzerland has found a new variant of the nasty speculative execution vulnerabilities that have plagued some Intel and AMD chips and developed a practical attack that allows an unprivileged attacker to leak sensitive information in memory from locations that they should not be able to access. The flaw, known as Retbleed, affects many Intel and AMD chips running on machines using any current operating system.
The team that discovered the vulnerability alerted the chip manufacturers several months ago, along with affected software makers, such as Microsoft, Oracle, Linus, and others. Intel and AMD gave released fixes to address the issue, but the risk remains, as the most serious attack vector is likely through cloud platforms such as Azure, AWS, and Google Cloud Platform, that operate massive numbers of servers. The effect of exploitation of Retbleed is similar to that of Meltdown, one of the older speculative execution bugs: an attacker could access sensitive data in a CPU’s cache.
“I think businesses running infrastructure in the cloud may risk cross tenant attacks. But there may exist other attack vectors that i am not thinking of. The one we demonstrate is the most obvious case but other relevant threat models like Trusted Execution Environments,” said Johannes Wikner, a doctoral student at ETH Zurich, who authored a paper on Retbleed with Kaveh Rzavi, a professor of computer security at the university.
“Because of the performance hit on many of these systems, businesses who let users to run untrusted code on their infrastructure are probably looking into upgrading their hardware or finding ways to avoid running workloads from different customers are the same time on the same machine. These are Cloud hosting providers and CI/CD service providers.”
Flaws such as Retbleed, Meltdown, and Spectre are related to the way that some modern CPUs execute instructions out of order. Known as speculative execution, this process is designed to speed up computation by guessing which instructions the CPU will need to execute, rather than simply following an ordered list of instructions. The vulnerabilities are difficult to find and exploit but successful exploitation is typically invisible to targets. Retbleed affects Intel generation 6-8 processors (CVE-2022-29901) and AMD families 15h-18h (CVE-2022-29900).
“This vulnerability occurs in the microprocessors that execute the instructions of a computer program and perform the corresponding calculations. In some cases, the processors - namely the central processing units (CPU) - also perform special calculations that shorten the computing time and speed up the overall computing process,” the researchers said in an advisory.
“We proved that in this scenario the security guarantees imposed by the operating system can be breached."
“In the process, they leave traces in the memory that hackers could exploit to gain unauthorized access to any information in the system - for example, they could steal encryption keys or security-relevant passwords. This is especially risky in cloud environments where multiple companies share computer systems.”
The ETH Zurich researchers considered several different attack vectors, and in their experiments on Linux systems, assumed that the attacker was an unprivileged user. The attacker would need to know the version of the Linux kernel running on the target machine and what the CPU microarchitecture is.
“We proved that in this scenario the security guarantees imposed by the operating system can be breached, and the unprivileged user (or attacker) can infer memory from all other programs running on the machine including the operating system itself,” Wikner said.
“If this security boundary can be breached then, with few changes, an attacker in the cloud may very well be able to leak arbitrary memory from the cloud host. In this case they may leak information from other customers who happen to use the same physical machine. In the cloud, our servers share hardware with strangers. Simply put, Retbleed threatens cloud security in addition to the demonstrated exploits.”
Some of the research on previous speculative execution flaws has involved theoretical attacks, but the ETH Zurich researchers have developed a working attack on Retbleed.
“Side channel attacks such as retbleed are stealthy in the sense that they don't directly access information but leak it through the CPU caches. For vulnerable systems, the impact is comparable to Meltdown,” Wikner said.