Retbleed: Specter V2 CPU vulnerability not fully closed

The CVE entries CVE-2022-29900 (for AMD processors) and CVE-2022-29901 (Intel) have been assigned to the retbleed vulnerabilities.

Intel addresses retbleed in the Security Advisories Intel-SA-00702 (Intel Processors Return Stack Buffer Underflow Advisory) and Intel-SA-00707 (Intel Processors RRSBA Advisory, CVE-2022-28693). Intel rates the level of danger as “medium” with a CVSS base score of 4.7.

Specter V2 type

Retbleed uses similar side channels in the CPU microarchitecture as other Specter V2 aka Branch Target Injection (BTI) type vulnerabilities. However, the experts from Switzerland proved that they could also use Retbleed to elicit data from the kernel address space of the working memory of systems with all Anti-Spectre patches.

However, the Proof of Concept (PoC) delivered data at only 219 bytes per second (bytes/s) with an Intel processor of the Coffee Lake generation and would therefore have to run for a very long time to be successful. With an AMD processor with cores from the Zen 2 generation presented in 2019, it was at least 3.9 Kbytes/s.

 

Danger for cloud servers

As the more than 14-page description of the retbleed attack technique shows, it is very complicated. Therefore, like many other Specter attacks, Retbleed probably does not pose an additional threat to typical desktop PCs and notebooks with Windows.

Specter-type side-channel attacks are particularly relevant for cloud servers and for systems that process very sensitive data and are therefore heavily isolated.

Against this background, it is surprising that experts who research such complex security gaps very often use notebooks and desktop PCs with AMD Ryzen and Intel Core i processors intended for private individuals. Also for Retbleed, the only server processor examined was an AMD Epyc 7252 (Rome, Zen 2) and not a single Intel Xeon.