Older AMD and Intel chips are vulnerable to yet another Spectre-based speculative-execution attack that exposes secrets within kernel memory despite defenses already in place. Mitigating this side channel is expected to take a toll on performance.
ETH Zurich computer scientists Johannes Wikner and Kaveh Razavi have dubbed the attack Retbleed, which they describe as an addition to the family of speculative-execution flaws known as Spectre-BTI (variant 2) that can be exploited by branch target injection.
That's a way to abuse a processor's indirect branch predictors to manipulate which operations get speculatively executed after a near indirect branch instruction. Doing so – training the indirect branch predictor – allows an attacker to infer data values that should be kept secret.
In short, rogue software on a machine can exploit Retbleed to obtain from memory it shouldn't have access to – such as operating system kernel data – passwords, keys, and other secrets. As with all the Spectre flaws, and offshoots like Hertzbleed, if malware really wants to steal data, there are usually plenty of vulnerabilities in OSes and applications to do just that, or ways of socially engineering the user, without having to manipulate the host processor.
That said, if nothing's done about Spectre et al, maybe one day someone will exploit it in the wild in a meaningful way. Also, if you're running virtual machines in a public cloud, you may want to be aware of this security weakness as information about or in your VM could leak to another customer via Retbleed. Data can be obtained from kernel memory at about a quarter of a kilobyte ..
Support the originator by clicking the read the rest link below.
