Intel, AMD CPUs on Linux impacted by newly disclosed Spectre bypass

The attacks undermine the Indirect Branch Predictor Barrier (IBPB) on x86 processors, a core defense mechanism against speculative execution attacks. 

The latest generations of Intel processors, including Xeon chips, and AMD's older microarchitectures on Linux are vulnerable to new speculative execution attacks that bypass existing ‘Spectre’ mitigations. The vulnerabilities impact Intel's 12th, 13th, and 14th chip generations for consumers and the 5th and 6th generation of Xeon processors for servers, along with AMD's Zen 1, Zen 1+, and Zen 2 processors.

The new variant of Spectre, called Spectre-BHI (Branch History Injection), specifically targets CPUs by exploiting speculative execution vulnerabilities. Spectre attacks typically allow attackers to access sensitive information from the memory by manipulating how CPUs predict future operations.

In this latest bypass, researchers found that by leveraging certain flaws in the CPU’s branch predictor unit (BPU), attackers could inject malicious branch targets into speculative execution processes, even in systems that have implemented Spectre protections. This type of attack could allow bad actors to exfiltrate data from applications running on affected processors, despite prior mitigations.

Johannes Wikner and Kaveh Razavi from ETH Zurich recently unveiled newly discovered variants of Spectre-like attacks that bypass existing mitigations. Their contribution includes two attacks that bypass the indirect branch predictor barrier (IBPB), showing how resilient speculative execution vulnerabilities remain despite ongoing mitigation efforts.

Intel CPUs are vulnerable to cross-process attacks due to an issue in their microcode where IBPB doesn't completely invalidate return predictions after context switches, enabling attackers to manipulate speculative execution of return instructions, which in turn leak sensitive information (for instance, leaking the hash of the root password from an SUID process). For AMD processors, however, this issue arises from improper application of IBPB-on-entry in the Linux kernel, allowing return predictors to retain outdated predictions even after IBPB has been applied. Attackers could then hijack return predictors to gain kernel memory access.