If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Few days ago a group of researchers revealed via a blog post, information about a vulnerability that they detected (already cataloged under CVE-2023-20569) and that affects AMD processors based on the EPYC and Ryzen microarchitectures.
It is mentioned that vulnerability, with keyword "Inception", allows an unprivileged local user to determine the memory contents of processes from other users when using virtualization systems, which basically allows extracting information from other guest systems.
What is Inception and how is it exploited?
About Inception, it is mentioned that this vulnerability is a combination of:
- Ghost Speculation: we can trigger a misprediction without any branches at the source of the misprediction.
- Training in Transient Execution: We can manipulate future wrong predictions through a previous wrong prediction that we triggered.
As with it it is possible to generate the return address stack overflow (RAS) in a structure that is updated in speculative mode at a stage where the processor only predicts a possible call to the CALL instruction.
The RAS stack has a fixed size and is circular, that is, it loops and after the last element changes to the beginning. An attacker can create conditions in which the branch predictor speculatively executes a large number of incorrectly predicted CALLs, enough to overflow the RAS stack and overwrite correctly predicted return points placed at the top of the stack.
As a result of this, initial stack items can be overwritten with chosen values by the attacker, which will then lead to the use of these replaced values during the speculative execution of the RET instruction in the context of another process.
It is mentioned that after that, the processor will determine that the branch prediction was unwarranted and revert the operation to its original state, but the data processed during the speculative execution will sit in the cache and microarchitecture buffers. If a mistakenly executed block performs a memory access, then its speculative execution will lead to installation into the general cache and reading of data from memory.
The Phantom vulnerability is used to “poison” the branch prediction (CVE-2022-23825) identified by the same researchers, which allows creating conditions to predict a dummy branch without branch instructions and influencing the branch prediction buffer without the "ret" instruction.
To initiate a wrong prediction and RAS stack overflow, the usual XOR instruction is used, whose effect on the branch prediction buffer during a phantom attack is similar to a recursive call to the CALL instruction. For the controlled substitution of the required value at the beginning of the RAS stack, the TTE (Training in Transient Execution) method is proposed, which allows to influence the future prediction of transitions from previous erroneous predictions.
It is worth mentioning that for the demonstration the researchers prepared an exploit which can be used by an unprivileged local user to hash the root user's password, stored in the /etc/shadow file and loaded into memory when authenticating to the system.
El ataque was demonstrated on a fully upgraded Ubuntu 22.04 system with a 5.1 kernel9 on a computer with an AMD Zen 4 family processor. The data leak performance of the exploit is 39 bytes per second. The content of /etc/shadow was successfully determined in 6 out of 10 attempts to exploit the vulnerability. Each attempt took approximately 40 minutes.
As already mentioned at the beginning, Inception affects processors based on the EPYC and Ryzen microarchitectures, of which the Zen1 and Zen2 microarchitectures, IBPB instruction-based protection (used to protect against Specter attacks), can be used to block the manifestation of a vulnerability. While for Zen3 and Zen4 family processors, there are no protection fixes and a microcode update is required to block the vulnerability in them.
Finally, it is mentioned that Inception fixes and firmware update are already included in recent versions of the Linux kernel, although after the distribution of the corrections, a more efficient revised version of the patches was also proposed, which until now have not been accepted in the kernel.
If you are interested in knowing more about it, you can consult the details in the following link