New ‘Retbleed’ Speculative Execution Attack Affects AMD and Intel CPUs


Security researchers have discovered yet another vulnerability affecting many older AMD and Intel microprocessors that could circumvent current defenses and lead to Specter-based speculative execution attacks.

dubbed rebleed by ETH Zurich researchers Johannes Wikner and Kaveh Razavi, the issues are tracked as CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel), showing the chip makers letting go software mitigations as part of a coordinated disclosure process.

Retbleed is also the latest addition to a class of Specter attacks known as Specter-BTI (CVE-2017-5715 or Specter-V2), which take advantage of the side effects of an optimization technique called speculative execution through a timing side channel to trick a program into accessing random locations in its memory space and leaking private information.

Speculative execution attempts to fill a program’s instruction pipeline by predicting which instruction will execute next to get a performance boost, while also undoing the results of the execution if the guess proves wrong.

Attacks like Specter take advantage of the fact that these incorrectly executed instructions – a result of the wrong prediction – will leave traces of execution in the cache, resulting in a scenario where a rogue program can trick the processor into executing incorrect code paths and deduce classified information about the victim.

In other words, Specter is an instance of a transient execution attack, which relies on hardware design flaws to “affect” which instruction sequences are executed speculatively and leak encryption keys or passwords from the victim’s memory address space.

This in turn is achieved by micro-architectural side channels such as Flush+Reload that measures the time it takes to perform memory reads from the cache shared with the victim, but not before flushing some of the shared memory, which results in fast or slow reads depending on whether the victim had access to the monitored cache rule since it was disabled.

While guarantees such as Repoline (aka “return trampoline”) are designed to avoid branch target injection (BTI), Retbleed is designed to circumvent this countermeasure and achieve speculative code execution.

Retpolines work by replacing indirect jumps [branches where the branch target is determined at runtime] and calls with returns,” the researchers explained.

“Retbleed aims to hijack a return statement in the kernel to achieve arbitrary speculative code execution in the kernel context. With sufficient control over registers and/or memory in the victim return statement, the attacker could leak arbitrary kernel data.”

The core idea, in a nutshell, is to treat return instructions as an attack vector for executing speculation and forcing returns to predict as indirect ramifications, effectively undoing the protection afforded by Retpoline.

As a new line of defense AMD has introduced what is referred to as Jmp2Retwhile Intel has recommended using enhanced Indirect Branch Restricted Speculation (eIBRS) to address the potential vulnerability, even if Retpoline restrictions are in place.

“The Windows operating system uses IBRS by default, so no update is required,” Intel said in an advisory, noting that it was working with the Linux community to make software updates available for the flaw.