VUSec security research group and Intel have revealed another Specter-class speculative execution vulnerability called branch history injection, or BHI. The new exploit impacts all Intel processors released in the last several years and specific Arm core processors. Intel processors affected include the most recent 12th Gen Core Alder Lake CPUs. Surprisingly, AMD chips have shown no effect from the vulnerability at this time.
Specter V2 hits Intel and ARM CPUs once again, affecting newer Intel and Arm cores
BHI is a proof-of-concept attack affecting vulnerable CPUs open to Specter V2 exploits. The interesting part of this particular attack is that several mitigations were currently in place on the affected CPUs. BHI avoids the Intel Enhanced Indirect Branch Restricted Speculation (EIBRS) and the Arm ID_PFR0_EL1 CSV2 assignment. VUSec reports that BHI enables cross-privilege Specter-v2 exploits, allowing kernel-to-kernel (intra-mode BTI) exploits and permitting attackers to place predictor entries into the global branch prediction history make kernel leak data. The result of the attack leaks arbitrary kernel memory on specific CPUs and could reveal hidden data such as passwords.
Intel reports that the company’s processors starting with Haswell (introduced in 2013) and spread to the recent Ice Lake-SP and Alder Lake CPUs. Intel will release a security patch to mitigate the exploit.
Arm cores, such as the company’s Cortex A15, A57, A72, Neoverse V1, N1, and N2, are reported to be affected. The company will also introduce five mitigations for their affected core series. It is currently unknown if custom series, such as the cores from Qualcomm using Arm’s technology, are affected by the new exploit.
Linux systems have received mitigations for Specter-BHB / BHI on Intel & Arm-based systems. There were added security measures for AMD systems that could potentially be affected.
Client and server machines should not be affected as long as those machines have the installed patches from the two companies. The impact the mitigations will have on performance on affected devices is unknown. Security researchers advise disabling unprivileged eBPF support to increase precaution from the attack.
The attack, as demonstrated by researchers, was previously mitigated by default in most Linux distributions. The Linux community has implemented Intel’s recommendations starting in Linux kernel version 5.16 and is in the process of backporting the mitigation to earlier versions of the Linux kernel. Intel released technical papers describing further mitigation options for those using non-default configurations and why the LFENCE; JMP mitigation is not sufficient in all cases.
– Intel statement to Phoronix website
Sources: VUSec, ARM, Intel, Phoronix