Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Major CPU, Software Vendors Impacted by New GhostRace Attack

CPU makers Intel, AMD, Arm and IBM, as well as software vendors, are impacted by a new speculative race condition (SRC) attack named GhostRace.

GhostRace CPU attack

A team of researchers from IBM and the VU Amsterdam university in the Netherlands on Tuesday disclosed the details of a new type of data leakage attack impacting all major CPU makers, as well as some widely used software. 

The new attack, dubbed GhostRace, is related to what the researchers describe as speculative race conditions (SRCs). 

Such an attack could allow threat actors to obtain potentially sensitive information from memory, such as passwords and encryption keys, but it typically requires physical or privileged access to the targeted machine and practical exploitation is in most cases not trivial.

Race conditions emerge when multiple threads try to access a shared resource at the same time, which can create vulnerabilities that can be exploited for various purposes, including arbitrary code execution, bypassing security defenses, and obtaining data.

Operating systems use synchronization primitives to avoid race conditions, but a security analysis of these primitives conducted by the IBM and VU Amsterdam researchers showed that race conditions can be combined with speculative execution, a technique that has often been leveraged over the past years in CPU attacks. 

“Our key finding is that all the common synchronization primitives implemented using conditional branches can be microarchitecturally bypassed on speculative paths using a Spectre-v1 attack, turning all architecturally race-free critical regions into Speculative Race Conditions (SRCs), allowing attackers to leak information from the target software,” the researchers explained in a blog post accompanying their research paper. 

In order to launch an attack and win a speculative race condition, the execution of the victim process must be interrupted at the right point and kept there to allow the attacker to perform what researchers describe as a Speculative Concurrent Use-After-Free (SCUAF) attack.

They achieved this using a new technique called Inter-Process Interrupt (IPI) Storming, which involves flooding the targeted process’ CPU core. 

Advertisement. Scroll to continue reading.

A scan for SCUAF gadgets in the Linux kernel led to the discovery of nearly 1,300 potentially exploitable gadgets. The researchers demonstrated a SCUAF information disclosure attack on the Linux kernel, achieving a 12 Kb/s kernel memory leakage. 

The research has focused on x86 architectures and Linux, but the experts said they confirmed that all major hardware vendors are impacted, as well as other software beyond Linux.

“In summary, any software, e.g., operating system, hypervisor, etc., implementing synchronization primitives through conditional branches without any serializing instruction on that path and running on any microarchitecture (e.g., x86, ARM, RISC-V, etc.), which allows conditional branches to be speculatively executed, is vulnerable to SRCs,” the researchers said.

Intel, AMD, Arm and IBM were notified of the GhostRace attack in late 2023, and they in turn notified OS and hypervisor vendors, all of which allegedly acknowledged the issue. 

AMD published an advisory on Tuesday, informing customers that previous guidance for Spectre-type attacks should also help prevent GhostRace attacks. 

Developers of the Xen hypervisor have also released an advisory. While they confirmed that all versions of Xen are technically affected, the project does not use any gadgets known to be vulnerable to GhostRace attacks, and the Xen security team does not believe immediate action is required. 

Linux developers have implemented an IPI rate limiting feature, but they are currently not taking further action due to performance concerns. 

The CVE identifier CVE-2024-2193 has been assigned to the underlying GhostRace vulnerability and CVE-2024-26602 to IPI Storming. 

In addition to a blog post and a technical paper, the researchers have made available a proof-of-concept (PoC) exploit, scripts for scanning the Linux kernel for SCUAF gadgets, and a list of the gadgets they have identified. 

Related: Protected Virtual Machines Exposed to New ‘CacheWarp’ AMD CPU Attack

Related: Downfall: New Intel CPU Attack Exposing Sensitive Information

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Data Protection

By implementing strong security practices,, organizations can significantly reduce the risks associated with lost and stolen computers and safeguard their sensitive information.

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...