A team of researchers from IBM and the VU Amsterdam university in the Netherlands on Tuesday disclosed the details of a new type of data leakage attack impacting all major CPU makers, as well as some widely used software.
The new attack, dubbed GhostRace, is related to what the researchers describe as speculative race conditions (SRCs).
Such an attack could allow threat actors to obtain potentially sensitive information from memory, such as passwords and encryption keys, but it typically requires physical or privileged access to the targeted machine and practical exploitation is in most cases not trivial.
Race conditions emerge when multiple threads try to access a shared resource at the same time, which can create vulnerabilities that can be exploited for various purposes, including arbitrary code execution, bypassing security defenses, and obtaining data.
Operating systems use synchronization primitives to avoid race conditions, but a security analysis of these primitives conducted by the IBM and VU Amsterdam researchers showed that race conditions can be combined with speculative execution, a technique that has often been leveraged over the past years in CPU attacks.
“Our key finding is that all the common synchronization primitives implemented using conditional branches can be microarchitecturally bypassed on speculative paths using a Spectre-v1 attack, turning all architecturally race-free critical regions into Speculative Race Conditions (SRCs), allowing attackers to leak information from the target software,” the researchers explained in a blog post accompanying their research paper.
In order to launch an attack and win a speculative race condition, the execution of the victim process must be interrupted at the right point and kept there to allow the attacker to perform what researchers describe as a Speculative Concurrent Use-After-Free (SCUAF) attack.
They achieved this using a new technique called Inter-Process Interrupt (IPI) Storming, which involves flooding the targeted process’ CPU core.
A scan for SCUAF gadgets in the Linux kernel led to the discovery of nearly 1,300 potentially exploitable gadgets. The researchers demonstrated a SCUAF information disclosure attack on the Linux kernel, achieving a 12 Kb/s kernel memory leakage.
The research has focused on x86 architectures and Linux, but the experts said they confirmed that all major hardware vendors are impacted, as well as other software beyond Linux.
“In summary, any software, e.g., operating system, hypervisor, etc., implementing synchronization primitives through conditional branches without any serializing instruction on that path and running on any microarchitecture (e.g., x86, ARM, RISC-V, etc.), which allows conditional branches to be speculatively executed, is vulnerable to SRCs,” the researchers said.
Intel, AMD, Arm and IBM were notified of the GhostRace attack in late 2023, and they in turn notified OS and hypervisor vendors, all of which allegedly acknowledged the issue.
AMD published an advisory on Tuesday, informing customers that previous guidance for Spectre-type attacks should also help prevent GhostRace attacks.
Developers of the Xen hypervisor have also released an advisory. While they confirmed that all versions of Xen are technically affected, the project does not use any gadgets known to be vulnerable to GhostRace attacks, and the Xen security team does not believe immediate action is required.
Linux developers have implemented an IPI rate limiting feature, but they are currently not taking further action due to performance concerns.
The CVE identifier CVE-2024-2193 has been assigned to the underlying GhostRace vulnerability and CVE-2024-26602 to IPI Storming.
In addition to a blog post and a technical paper, the researchers have made available a proof-of-concept (PoC) exploit, scripts for scanning the Linux kernel for SCUAF gadgets, and a list of the gadgets they have identified.
Related: Protected Virtual Machines Exposed to New ‘CacheWarp’ AMD CPU Attack
Related: Downfall: New Intel CPU Attack Exposing Sensitive Information
