Once Again It’s All About Branch Predictor Race Conditions

AMD and Arm users can rest easy for this one, as it seems that CVE-2024-45332 only applies to Intel CPUs.  The problem is that it applies to almost all Intel chips currently being used, as in ninth generation Core, aka Coffee Lake Refresh and onward to the current generations.  If that’s not bad enough, ETH Zurich researchers Sandro Rüegge, Johannes Wikner, and Kaveh Razavi saw some related vulnerabilities all the way back to Kaby Lake.

This branch predictor vulnerability is extremely similar to Spectre V2.  If you can train the Branch Target Buffer and Indirect Branch Predictor to predict a specific branch, ye olde speculative execution flaw, you can convince it to make a system call to move execution into the OS kernel.  Catch it at the right time and the isolation between user and kernel is broken, and a non-privileged user can leak data from privileged process.

This type of branch prediction attack is not new, but this specific one is and it is wide reaching.  Hark, there is good news however!  The impact of patching this flaw is nowhere near as horrific as with the original Spectre attacks.  The researchers found a firmware patch would trigger a 2.7% performance overhead, while software mitigations would range between 1.6% to 8.3%, depending on the CPU.

Bleeping Computer has all the sordid details to ruin your day.

****Update ****

Intel has made an official statement about this version of Spectre V2.

“We appreciate the work done by ETH Zurich on this research and collaboration on coordinated public disclosure. Intel is strengthening its Spectre v2 hardware mitigations and recommends customers contact their system manufacturer for the appropriate update. To date, Intel is not aware of any real-world exploits of transient execution vulnerabilities.”

You can also learn more in this announcement as well as Intel’s Security Blog.