LTS Secure Warning: New SpectreRSB Vulnerability Evades Patches

SpectreRSB utilize a process found in all advance CPU called “speculative execution”, that has the primary function of improving performance by computing operations in advance and later discarding unneeded data.

Technical Details

SpectreRSB recovers data from the speculative execution process by attacking a various CPU component involved in this “speculation” process, namely the Return Stack Buffer (RSB).

In the grand architecture of a CPU, the RSB is a component that is involved in the speculative execution routine and works by predicting the return address of an operation the CPU is trying to compute in advance, part of its “speculation.”

UCR researchers said they could pollute the RSB code to control the return address and poison a CPU’s speculative execution routine, because the RSB is shared among hardware threads that execute on the same virtual processor, this pollution enables inter-process, and even inter-VM, pollution of the RSB.

Impact

Importantly, none of the known defenses including Retpoline and Intel’s microcode patches stop all SpectreRSB attacks,” UCR researchers say.

This means that a threat actor who wants to recover data from a victim’s PC that received Spectre patches can update his original Spectre code to target the RSB to bypass any defensive measures applied by the device owner. But researchers also point out that Intel has a patch that stops this attack on some CPUs, but which it has not rolled out to all of its processors.

In particular, on Core-i7 Skylake and newer processors (but n`ot on Intel’s Xeon processor line), a patch called RSB refilling is used to address a vulnerability when the RSB underfills,” researchers say describing a fix for an unrelated bug.

This defense interferes with SpectreRSB’s ability to launch attacks that switch into the kernel. We recommend that this patch should be used on all machines to protect against SpectreRSB.”

After Bleeping Computer reached out to Intel earlier today, the company provided a statement suggesting the opposite to what researchers have said —that SpectreRSB attacks could be prevented with existing mitigations.

Recommended Actions

Intel has already a patch that stops this attack on some CPUs, but wasn’t rolled out to all of its processors. This defense interferes with SpectreRSB’s ability to launch attacks that switch into the kernel. We recommend that this patch should be used on all machines to protect against SpectreRSB.

To know more about SpectreRSB, click on the link.