Vendors have started rolling out software updates to respond to the recently disclosed Retbleed speculative execution attack targeting Intel and AMD processors.
Leaked earlier this week, Retbleed is a new attack technique targeting retpolines (return trampolines), the widely adopted mitigation against the Specter side-channel attack affecting modern microprocessors.
Reptolines were introduced in 2018 to replace jumps and indirect calls with returns, thereby mitigating the issue where bad branch predictions leaked data to attackers.
This week, however, researchers from the Swiss university ETH Zurich published a paper demonstrating that exploiting reptolines to leak memory was practical and that the attack works on both Intel and AMD processors that have enabled the Full Specter debuffs.
Intel – which tracks vulnerabilities as CVE-2022-29901 and CVE-2022-28693 – and AMD – which tracks them as CVE-2022-29900 and CVE-2022-23825 – have announced fixes for the bugs, and the vendors of software have begun to deploy them to their users as well.
Citrix announced fixes for Hypervisor, noting that bugs “may allow code inside a guest virtual machine to infer the contents of RAM memory elsewhere on the host.” Only systems running Hypervisor on AMD Zen 1 or AMD Zen 2 processors are affected, but not those running AMD Zen 3 processors or on Intel chips with all previous updates installed.
“Citrix has released patches to resolve this issue. Citrix recommends that affected customers install these patches according to their patch schedule. Note that resolving this hardware issue in software may impact the performance of affected processors,” says Citrix.
vmware has confirmed that all four vulnerabilities impact its ESXi hypervisor and that fixes are available for ESXi versions 7.0, 6.7, and 6.5, as well as Cloud Foundation versions 4.x and 3.x.
“A malicious actor with administrative access to a virtual machine can take advantage of various side-channel processor vulnerabilities that could leak information stored in physical memory on the hypervisor or other virtual machines residing on the same host ESXi,” VMware notes.
As part of its Patch Tuesday cycle, Microsoft announced that the latest versions of Windows help mitigate vulnerabilities affecting AMD processors, advising customers to apply the latest software updates and implement additional security features if untrusted users are permitted to run arbitrary code on their systems.
The Xen project also confirmed the impact of defects affecting AMD’s processors, but only on systems running Zen2 or earlier microprocessors – systems with AMD Zen3 and Intel chips are not affected. Xen has announced fixes for stable branches and encourages updating to a stable branch before applying them.
Felt states that fixes for all four vulnerabilities were included in Fedora 36 update: kernel-5.18.11-200.fc36, which includes stable fixes and “Retbleed fixes planned for kernel 5.18.12”.
SUSELinux also confirmed the impact of CVE-2022-29900 and CVE-2022-29901 on SUSE Linux Enterprise Desktop, Enterprise Server, Enterprise Server for SAP and Enterprise HPC applications. Patches have been released for some of the affected products, but SUSE is still working on fixing bugs in its portfolio.
Ubuntu announced that kernel updates are in the works, without offering a specific availability schedule. Whereas Red Hat Enterprise Linux versions 6 through 9 are impacted by CVE-2022-29900 and CVE-2022-29901, Red Hat has not offered a release date for the patches, but says Enterprise Linux 6 will remain patch-free.
Related: Retbleed: A New Speculative Execution Attack Targets Intel and AMD CPUs
Related: Academics Design New Speculative Execution Attack Against Apple M1 Chips
Related: New Side-Channel Attack Targets Intel CPU Ring Interconnect