AMD, Arm and Intel issued security advisories and recommendations Wednesday, warning of an exploit that bypasses the some of the defenses developed to shore up one of the most notorious vulnerabilities in modern chips.
Researchers at the Vrije Universiteit Amsterdam said in a post they had developed a method to circumvent some security measures developed since the Spectre and Meltdown vulnerabilities were disclosed in January 2018. Using a novel attack method, the researchers said that they were able to get a core part of the Linux OS to leak critical system data, such as the root password.
“The attack, as demonstrated by researchers, was previously mitigated by default in most Linux distributions," Intel said in a statement to Protocol. "The Linux community has implemented Intel’s recommendations starting in Linux kernel version 5.16 and is in the process of backporting the mitigation to earlier versions of the Linux kernel. Intel released technical papers describing further mitigation options for those using non-default configurations and why the LFENCE; JMP mitigation is not sufficient in all cases.”
AMD did not immediately respond to a request for comment, but issued a security advisory, and Arm also pointed Protocol to its security update.
The vulnerabilities the security researchers outlined center around a technique called speculative execution that many modern chips use to increase performance. Using spare resources, a chip will perform some processing ahead of when the task is actually needed in order to improve overall performance, but savvy attackers can exploit that technique using precise timing to read data that's unprotected before it is actually executed.
Security researchers discovered in 2017 that it was possible to exploit chips that used speculative execution, which was widely used in modern processors, and disclosed their findings in early 2018. The vulnerability, called Spectre, affected computers using Intel or AMD chips as well as Arm-based designs and forced the industry to quickly develop a series of fixes. Another vulnerability involving memory management called Meltdown was disclosed at the same time.
Climate TRACE's data show emissions at the facility-level.Image: Climate TRACE