A new attacker Retbleed allegedly performs speculative execution attacks on Intel and AMD CPUs
A new attacker Retbleed has reportedly been performing a speculative execution cyber attack on processors from both Intel and AMD to extract sensitive information. During a speculative execution attack, the threat actor performs command injection to execute arbitrary commands on the host operating system. Such command injection attacks are possible if any application possesses unsafe user-supplied data such as forms, cookies, HTTP, and more to a system shell.
According to security researchers, Retbleed stays focused on instructions to perform a speculative class of execution attack with Spectre.
Reportedly in this case with a speculative execution attack, the compromised CPUs performed computations without any instruction from the owner. In Spectre attacks, the cyber attacker takes advantage by tricking the processor into running sets of instructions to retrieve the user’s sensitive data from the memory of the device.
However, Rapoline which is a software-based solution tries to lower the chances of speculative execution attacks by using return operations to isolate indirect branches. An indirect branch is when there is no clue about the destination address rather it is predicted from already executed branches.
Researchers at ETH Zurich university said while discovering a way to force the prediction of return operations just in case of indirect branches, “We found that we can trigger the microarchitectural conditions, on both AMD and Intel CPUs, that forces returns to be predicted like indirect branches. We also built the necessary tools to discover locations in the Linux kernel where these conditions are met. We found that we can inject branch targets that reside inside the kernel address-space, even as an unprivileged user. Even though we cannot access branch targets inside the kernel address-space — branching to such a target results in a page fault — the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it’s to a kernel address.”
They further stated that by using precise branch history on compromised CPUs it is possible to hijack return instructions. The security researchers have also developed a Retbleed proof of concept (PoC) only for Linux.
Retbleed has been observed to impact Intel Core CPUs from generation 6 (Skylake-2015) through 8 (Coffee lake-2017) and AMD Zen 1, Zen 1+, Zen 2 released between 2017 and 2019.
