Computer scientists from ETH Zurich uncovered yet another Spectre-like vulnerability that affects older AMD and Intel microprocessors. This new speculative execution attack dubbed Retbleed allows threat actors to circumvent existing defense mechanism known as retpoline and get access to the secrets within kernel memory.
Malware already presented on a compromised machine can exploit Retbleed (CVE-2022-29900 and CVE-2022-29901) to obtain sensitive data – including passwords and keys – from memory it shouldn't have access to.
Retpoline defense mechanism replaces indirect jumps and calls with returns in order to prevent unauthorized attackers from stealing data from the memory by abusing a speculative execution. It was assumed that returns were impractical to exploit because under normal microarchitectural conditions return target predictions are not predicted as indirect branches.
Nevertheless, according to the researchers from ETH Zurich, Retbleed “is indeed practical to exploit.” The threat actors “can trigger the microarchitectural conditions, on both AMD and Intel CPUs, that forces returns to be predicted like indirect branches.” It is also possible to “inject branch targets that reside inside the kernel address-space, even as an unprivileged user.”
Even though the researchers couldn’t access branch targets inside the kernel address-space, the Branch Prediction Unit updated itself upon observing a branch and assumed that it was legally executed, even if it’s to a kernel address.
Retbleed works on AMD Zen 1, Zen 1+, Zen 2 and Intel Core generation 6–8. Both AMD and Intel have developed mitigations, but they add overhead of 12% to 28%.