Amd Warns Of New Meltdown, Spectre Like Bugs Affecting Cpus

AMD is warning users of a newly discovered form of side-channel attack affecting a broad range of its chips that could lead to information disclosure.

Akin to Meltdown and Spectre, the Transient Scheduler Attack (TSA) comprises four vulnerabilities that AMD said it discovered while looking into a Microsoft report about microarchitectural leaks.

The four bugs do not appear too venomous at face value – two have medium-severity ratings while the other two are rated “low.” However, the low-level nature of the exploit’s impact has nonetheless led Trend Micro and CrowdStrike to assess the threat as “critical.”

The reasons for the low severity scores are the high degree of complexity involved in a successful attack – AMD said it could only be carried out by an attacker able to run arbitrary code on a target machine.

It affects AMD processors (desktop, mobile and datacenter models), including 3rd gen and 4th gen EPYC chips – the full list is here.

From AMD:

They would need local access to the machine, either through a piece of malware or a malicious VM, but the attacks require only low privileges to succeed.

In AMD’s view, the TSAs affecting its chips are not exploitable via malicious websites, and would need to be executed many times in order to reliably exfiltrate any data.

This is because the attack hinges on false completions, which occur when CPUs expect load instructions to complete quickly but a condition prevents them from completing successfully.

Since the load did not complete, the data associated with that load could be forwarded to dependent operations, potentially affecting the timing of instructions being executed by the CPU in a way that attackers could see.

In the worst-case scenarios enabled by the two medium-severity vulnerabilities, successful attacks on AMD chips could lead to information leakage of the OS kernel. Other scenarios could see applications or VMs leaking data too.

The low-severity bugs could lead to internal CPU operational details being leaked, a type of data AMD doesn’t deem to be sensitive.

Access to kernel data could potentially allow attackers to escalate privileges, bypass security mechanisms, establish persistence, and more. AMD’s technical report is here [PDF].

Double trouble

AMD said there are two different TSA variants that can feasibly be executed on its chips. It calls them TSA-L1 and TSA-SQ because they refer to side-channel attacks that can infer data from the L1 cache and CPU store queue respectively.

According to AMD’s technical documentation [PDF] about its findings, TSA-L1 vulnerabilities are caused by an error in the way the L1 cache uses microtags for lookups. The CPU may believe data is in the cache when in fact it isn’t, leading to incorrect data being loaded, which an attacker could then infer.

TSA-SQ vulnerabilities arise when a load instruction erroneously retrieves data from the store queue when the required data isn’t available. In this case, the incorrect data can be detected by an attacker and used to infer data, such as that from the OS kernel, from previously loaded stores, even if they were executed in a different context.

Patch galore

The number of chip series affected by the TSAs is fairly extensive, affecting both consumer and enterprise-grade systems.

The full list can be viewed via AMD’s advisory but at a high level, EPYC, Ryzen, Instinct, and Athlon-series chips should be updated.

Sysadmins should update to the latest Windows builds to protect against these TSAs, AMD advised. There is a mitigation that involves a VERW instruction, but AMD says this may impact system performance, so deciding which remediation route to take will require a risk-reward assessment from each admin.

The good news is that not only are these kinds of attacks difficult to pull off, typically reserved only for the most well-resourced groups, but there is no known exploit code available anywhere, according to Microsoft. ®

Original Source