Researchers disclose new Spectre V2 vulnerabilities

The notorious Spectre vulnerabilities are in the headlines again thanks to the discovery of a new variant.

Researchers with VUSec at the Vrije Universiteit Amsterdam discovered a trio of CVE-listed vulnerabilities based on Spectre V2 that allow an attacker to extract sensitive data, such as security keys, by manipulating the way both Intel and Arm processors handle chip instructions. VUSec disclosed the vulnerabilities Tuesday, and both chipmakers issued patches to mitigate the flaws.

AMD processors do not appear to be affected.

First disclosed in 2018, the Spectre and Meltdown flaws made headlines as they preyed on a common performance feature of modern processors to get around security protections in CPUs and defeat built-in chip security.

As with the previous iterations of the Spectre flaw, the side-channel attacks prey on speculative execution of data and instructions by the CPU. In the case of Spectre, attackers are able to feed the CPU specific instructions that access areas of memory they would otherwise be blocked from reading, including secure locations that house encryption keys or credentials.

Researchers called the attack branch history injection (BHI), which they described as a new type of Spectre V2 threat that circumvents previous hardware mitigations deployed by Intel and Arm.

In the case of the new vulnerabilities, attackers use the CPU's branch history to trigger the speculative execution and read restricted memory data. This, VUSec said, was one of the few areas Intel did not lock down in its speculative execution controls, leaving it exposed.

"The hardware mitigations do prevent the unprivileged attacker from injecting predictor entries for the kernel," VUSec said in a blog post on the BHI vulnerabilities. "However, the predictor relies on a global history to select the target entries to speculatively execute. And the attacker can poison this history from userland to force the kernel to mispredict to more 'interesting' kernel targets (i.e., gadgets) that leak data."

Intel has designated the bugs as CVE-2022-0001 and CVE-2022-0002, while the ARM flaw was CVE-2022-23960. Both vendors have issued advisories to help administrators deal with the issues.

According to Intel, the flaw is best addressed by making adjustments to the Linux kernel. Administrators can update their systems to the 5.16 kernel release to receive new controls that lock down the protected memory.

The chipmaker also told SearchSecurity that many of the potentially vulnerable Linux systems had already been protected from the attack thanks to previously installed updates.

"The attack, as demonstrated by researchers, was previously mitigated by default in most Linux distributions," Intel said in its statement. "The Linux community has implemented Intel's recommendations starting in Linux kernel version 5.16 and is in the process of backporting the mitigation to earlier versions of the Linux kernel."