Intel: Another attack bypasses all previous CPU protection measures | heise online
A new type of attack on Intel processors makes it possible to read passwords even if all previous protection mechanisms against Spectre-type attacks are active. The Computer Security Group (Comsec) at ETH Zurich exploits a peculiarity in Intel's jump prediction. It calls the vulnerability Branch Predictor Race Conditions (BPRC) and the attack type Branch Privilege Injection (BPI).
Like the Training Solo attack type, BPI requires physical access to a system. Therefore, the associated CVE numbers CVE-2024-43420, CVE-2025-20623 and CVE-2024-45332 are only rated as medium severity. AMD and ARM processors are not affected. BPI poses a risk above all for cloud servers on which applications or containers and virtual machines of different users run in parallel. Based on current knowledge, BPI does not significantly increase the malware risk for privately used desktop PCs and notebooks.
With Intel, the branch prediction unit (BPU) updates the flow of instructions and the authorization domain asynchronously. This increases performance and is normally not a problem because the authorizations for completing an operation are actually clear.
However, the ETH research team manipulates the instruction stream in such a way that the privileges are not updated until an operation is completed. As a result, the authorization boundaries become blurred – Attackers can read data from an actually isolated, privileged process. In a proof of concept (POC), this works at 5.6 KByte/s. In a video demonstration, Comsec shows how its application reads a complex password.
Mit Ihrer Zustimmung wird hier ein externes YouTube-Video (Google Ireland Limited) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Google Ireland Limited) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
To inject suitable instructions, the research team uses a readable cache clock signal that is generated for nanoseconds during the execution of instructions. To manipulate this, they use a cache signaling gadget.
Three modifications bypass different compartmentalizations: BPRCU K bypasses the barrier between user and kernel space, BPRCG H bypasses the barrier between guest and hypervisor, and BPRCIBPB leverages Intel's Indirect Branch Predictor Barrier (IBPB) security mechanism.
All modern desktop, notebook and server processors from Intel are affected. Intel lists Core i processors from the eighth generation (Coffee Lake), Xeon models from the second scalable generation (Cascade Lake) and numerous Atoms, Celerons and Pentiums in its own security article. However, not all BPRC types work on all CPUs.
The manufacturer distributes microcode updates that prevent the anomalies in the clock signal and thus prevent branch privilege injection. The Comsec researchers have measured performance losses of up to 2.7 percent with a preliminary update on an Alder LaKe system (Core i-12000). Corresponding BIOS or Windows updates should be released soon.
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(mma)
