Arm and Intel CPUs vulnerable to a new Spectre-style attack

In a nutshell: BHI is a new type of speculative execution vulnerability affecting most Intel and Arm CPUs that attacks branch global history instead of branch target prediction. Unfortunately, the companies' previous mitigations for Spectre V2 will not protect from BHI, though AMD processors are mostly immune. Security patches should be released soon by vendors, and the Linux kernel has already been patched.

A new Spectre class speculative execution vulnerability, called Branch History Injection (BHI) or Spectre-BHB, was jointly disclosed on Tuesday by VUSec security research group and Intel.

BHI is a proof of concept re-implementation of the Spectre V2 (or Spectre-BTI) type of attack. It affects any CPU that is also vulnerable to Spectre V2, even if mitigations for Spectre V2 have already been implemented; it can circumvent Intel's eIBRS and Arm's CSV2 mitigations. These mitigations protect from branch target injection, whereas the new exploit allows attackers to inject predictor entries into the global branch history. BHI can be used to leak arbitrary kernel memory, which means sensitive information like passwords can be compromised.

VUSec explained it as follows: "BHI essentially is an extension of Spectre v2, where we leverage the global history to re-introduce the exploitation of cross-privilege BTI. Therefore the attacker primitive is still Spectre v2, but by injecting the history across privilege boundaries (BHI), we can exploit systems that deploy new in-hardware mitigations (I.e., Intel eIBRS and Arm CSV2)."

The vulnerability affects any Intel CPU launched since Haswell, including Ice Lake-SP and Alder Lake. Affected Arm CPUs include Cortex A15/A57/A65/A72/A73/A75/A76/A77/A78/X1/X2/A710, Neoverse N2 / N1 / V1 and the Broadcom Brahma B15.

CVE ID for Arm is CVE-2022-23960 and Intel is using the IDs CVE-2022-0001 and CVE-2022-0002. Both companies have posted more details about their affected CPUs here (Intel) and here (Arm).

Intel has released the following statement regarding the BHI exploit: "The attack, as demonstrated by researchers, was previously mitigated by default in most Linux distributions. The Linux community has implemented Intel's recommendations starting in Linux kernel version 5.16 and is in the process of backporting the mitigation to earlier versions of the Linux kernel. Intel released technical papers describing further mitigation options for those using non-default configurations and why the LFENCE; JMP mitigation is not sufficient in all cases."

AMD CPUs seem to be immune to BHI. According to Phoronix, team red processors that have defaulted to using Retpolines for Spectre V2 mitigations should be safe.

Security patches from vendors should be released soon. In addition to installing them, researchers recommend disabling unprivileged eBPF support as an additional precautionary measure. Linux has already merged the security updates into its mainline kernel. Whether these security mitigations will impact performance is not yet known.

Source code for VUSec's exploit can be found here.

Permalink to story.

 
I don't know about Apple, but each day I'm more for it or Team Red (when they release Van Gogh in a desktop with windows)
 
This is good news for Intel and any affected ARM manufacturer. It means that a security flaw has been recognised and fixed. Better that it’s found this way than via a malicious attacker.

All CPUs have vulnerabilities, we just don’t know about them all yet.
 
I'm still simply amazed the world carries on - so may viruses , vulnerabilities , browser hacks, rootkits , silly people . Super old android phones being used
You think 50% of the world - would have empty bank accounts , huge credit card bills etc . at least 2 persons impersonating them .

Yet that doesn't seem to happen
Like when I was a kid I see an advert for say Toyota or Honda . They used to say we made 301 new improvements to this years model / next year the say 221 and so on
Yet if I got in an 1979 model drove it , then an 1982 model now with 1200 improvements - I was underwhelmed by the differences .

Maybe one day - a vulnerability will change the world

yes when I drive my 1995 Toyota Corolla and then a 2021 model - I notice the difference - car beeps at me for crossing white lines on the corner , beeps at me as my dogs riding shotgun without a seatbelt . Plus different key , lots of bling , cameras - which I suppose I can add.
Main diffs - safer ( me only 2 airbags , ABS ) , much better economy , quieter drive .
Oh more expensive parts - light bulb - me $3 - new car $100
outside petrol my running costs , repairs are super minimum - can easily get another 200 000km
 
That article is 5 years old and has nothing to do with the subject in question.
Well yes and no. After CTS-Labs ‚Ryzenfall‘ publication one has to ask.
Since Grsecurity were the ones publishing this, I checked to see if they were legit but search results were not really inspiring trust, so another entity double checking this would be good.

Either way, this has a CVE number and it‘s listed at e.g. Red Hat as having moderate impact, same as the flaw mentioned in this article.

 
Back