New attack on speculative execution Intel and AMD CPUs are affected by Retbleed

Researchers from the Swiss university ETH Zurich named the attack Retbleed, and it works against both Intel and AMD CPUs.

Speculative execution is a CPU feature that uses internal algorithms to predict the path a program’s execution will take when it reaches a conditional branch in the code. Since 2018, researchers have discovered numerous variants of Spectre, each employing a different method to force mispredictions.

Researchers at ETH Zurich have created a proof-of-concept attack on Linux that replaces indirect jumps and calls with returns.

Previously, it was thought impractical to exploit returns because returns are not predicted as indirect branches under normal conditions.

However, the researchers discovered conditions that enable such exploitation, and they are more common than previously thought.

On Linux, fixing the retpoline mitigation required changes to 68 files, 1,783 new lines of code, and 387 lines removed. Intel has updated its list of CPUs vulnerable to “transient attacks,” such as Retbleed/RSBU, and plans to release microcode updates.

AMD has determined that the problem is an example of a broader microarchitecture behaviour known as Branch Type Confusion (CVE-2022-23825).

The vendor has issued new developer guidance for dealing with this type of issue. Xen and Citrix, for example, issued their own advisories and patches.