Johannes Wikner and Kaveh Razavi from Swiss University ETH Zurich have detailed a cross-process Spectre attack that undermines Address Space Layout Randomisation and exposes the root password hash from the Set User ID process on recent Intel processors. They claim to have successfully executed such an attack.
The indirect branch predictor barrier (IBPB), a defence against Spectre v2 (CVE-2017-5715) on x86 Intel and AMD chips, was intended to prevent the speculative execution of previously learned branch predictions. However, it appears this barrier was not correctly implemented.
"We found a microcode bug in the recent Intel microarchitectures — like Golden Cove and Raptor Cove, found in the 12th, 13th and 14th generations of Intel Core processors, and the 5th and 6th generations of Xeon processors — which retains branch predictions such that they may still be used after IBPB should have invalidated them," explained Wikner.
"Such post-barrier speculation allows an attacker to bypass security boundaries imposed by process contexts and virtual machines."
Wikner and Razavi could leak arbitrary kernel memory from an unprivileged process on AMD silicon built with its Zen 2 architecture. The vulnerabilities potentially affect Intel Core 12th, 13th, and 14th generation processors and Xeon 5th and 6th generation processors. Linux users on AMD Zen 1(+) and Zen 2 hardware may also be at risk.
Although the issue was disclosed in June 2024, Intel and AMD identified the problem independently. Intel addressed the vulnerability in a microcode patch (INTEL-SA-00982) released in March 2024. However, not all Intel hardware may have received this update. Wikner and Razavi noted, "This microcode update was, however, not available in Ubuntu repositories at the time of writing this paper." It appears that Ubuntu has since resolved the issue.
AMD released an advisory in November 2022 in the security bulletin AMD-SB-1040, highlighting the need for hypervisor and operating system vendors to develop their mitigations.