Researchers from ETH Zurich disclosed details about a new Spectre variant that bypasses existing security mechanisms, affecting recent Intel and AMD processors running on Linux.
The new bypass is a cross-process Spectre attack that undermines Address Space Layout Randomization (ASLR) and can leak sensitive data, such as the root password hash, from the Set User ID (suid) process on modern Intel CPUs. It compromises key defenses implemented to guard against Spectre-like vulnerabilities.
The vulnerability affects multiple generations of both Intel and AMD processors. For Intel, it targets the 12th, 13th, and 14th generation consumer processors, as well as 5th and 6th generation Xeon server chips. On the AMD side, Zen 1, Zen 1+, and Zen 2 processors are vulnerable.
Spectre attacks exploit speculative execution, a performance optimization where processors preemptively perform calculations that may not be needed.
The new research details how the attacks bypass the Indirect Branch Predictor Barrier (IBPB), a core defense against speculative execution exploits on x86 processors. Intel's processors, in particular, suffer from a microcode flaw that prevents IBPB from fully invalidating return predictions after a context switch, allowing stale predictions to leak sensitive information. The researchers' cross-process attack exploits this flaw to retrieve privileged data, including root password hashes.
On AMD processors, the flaw stems from improper application of IBPB-on-entry within the Linux kernel. This enables attackers to manipulate the return predictor before the IBPB defense is triggered, leaking privileged kernel memory after the barrier.
Both Intel and AMD were informed of the vulnerability in June 2024. Intel said that it had already discovered the issue internally and assigned it the identifier CVE-2023-38575. A microcode fix was released in March 2024, but it has yet to reach all operating systems, with some distributions, such as Ubuntu, still lacking the update.
AMD confirmed the flaw and said that it had already been documented and tracked as CVE-2022-23824. However, the vulnerability persists on affected processors, and further mitigation efforts may be necessary to fully address the risks.
