specter-type vulnerabilities can still be exploited on many processors, including those that appeared after the Specter shock.
Specter-type processor vulnerabilities uncovered in 2018 remain exploitable despite all previous countermeasures. With cleverly designed return commands – hence the name retbleed – it is possible to read data fragments from supposedly protected RAM memory areas. This is what the security researchers Johannes Wikner and Kaveh Razavi from ETH Zurich found out.
The CVE entries CVE-2022-29900 (for AMD processors) and CVE-2022-29901 (Intel) have been assigned to the retbleed vulnerabilities.
Intel addresses retbleed in the Security Advisories Intel-SA-00702 (Intel Processors Return Stack Buffer Underflow Advisory) and Intel-SA-00707 (Intel Processors RRSBA Advisory, CVE-2022-28693). Intel rates the level of danger as “medium” with a CVSS base score of 4.7.
Specter V2 type
Retbleed uses similar side channels in the CPU microarchitecture as other Specter V2 aka Branch Target Injection (BTI) type vulnerabilities. However, the experts from Switzerland proved that they could also use Retbleed to elicit data from the kernel address space of the working memory of systems with all Anti-Spectre patches.
However, the Proof of Concept (PoC) delivered data at only 219 bytes per second (bytes/s) with an Intel processor of the Coffee Lake generation and would therefore have to run for a very long time to be successful. With an AMD processor with cores from the Zen 2 generation presented in 2019, it was at least 3.9 Kbytes/s.
Danger for cloud servers
As the more than 14-page description of the retbleed attack technique shows, it is very complicated. Therefore, like many other Specter attacks, Retbleed probably does not pose an additional threat to typical desktop PCs and notebooks with Windows.
Specter-type side-channel attacks are particularly relevant for cloud servers and for systems that process very sensitive data and are therefore heavily isolated.
Against this background, it is surprising that experts who research such complex security gaps very often use notebooks and desktop PCs with AMD Ryzen and Intel Core i processors intended for private individuals. Also for Retbleed, the only server processor examined was an AMD Epyc 7252 (Rome, Zen 2) and not a single Intel Xeon.