Vendors have started rolling out software updates to address the recently disclosed Retbleed speculative execution attack targeting Intel and AMD processors.
Disclosed earlier this week, Retbleed is a new attack technique targeting retpolines (return trampolines), the widely adopted mitigation against the Spectre side-channel attack affecting modern microprocessors.
Reptolines were introduced in 2018 to replace indirect jumps and calls with returns, thus mitigating the issue where branch mispredictions leaked data to attackers.
This week, however, researchers at Swiss university ETH Zurich published a paper demonstrating that exploitation of reptolines to leak memory was practical, and that the attack works on both Intel and AMD processors that have full Spectre mitigations enabled.
Both Intel – which tracks the flaws as CVE-2022-29901 and CVE-2022-28693 – and AMD – which tracks them as CVE-2022-29900 and CVE-2022-23825 – have announced patches for the bugs, and software vendors have started rolling them out to their users as well.
Citrix has announced hotfixes for Hypervisor, noting that the bugs “may allow code inside a guest VM to infer the contents of RAM memory elsewhere on the host.” Only systems running Hypervisor on AMD Zen 1 or AMD Zen 2 processors are impacted, but not those using AMD Zen 3 CPUs or on Intel chips that have all of the previous updates installed.
“Citrix has released hotfixes to address this issue. Citrix recommends that affected customers install these hotfixes as their patching schedule allows. Note that remediating this hardware issue in software may impact performance on affected CPUs,” Citrix says.
VMware has confirmed that all four vulnerabilities impact its ESXi hypervisor, and that patches are available for ESXi versions 7.0, 6.7, and 6.5, as well as for Cloud Foundation versions 4.x and 3.x.
“A malicious actor with administrative access to a virtual machine can take advantage of various side-channel CPU flaws that may leak information stored in physical memory about the hypervisor or other virtual machines that reside on the same ESXi host,” VMware notes.
As part of its Patch Tuesday cycle, Microsoft announced that the latest Windows builds enable mitigations against the vulnerabilities impacting AMD processors, advising customers to apply the latest software updates and to implement extra security features if untrusted users are allowed to execute arbitrary code on their systems.
The Xen Project too has confirmed impact from the flaws affecting AMD’s CPUs, but only on systems running Zen2 or earlier microprocessors – systems with AMD Zen3 and Intel chips are not impacted. Xen has announced patches for stable branches and encourages updating to a stable branch before applying them.
Fedora says fixes for all four vulnerabilities have been included in Fedora 36 Update: kernel-5.18.11-200.fc36, which includes stable patches and “the Retbleed patches scheduled for 5.18.12 kernels.”
SUSE Linux too has confirmed impact from CVE-2022-29900 and CVE-2022-29901 on SUSE Linux Enterprise Desktop, Enterprise Server, Enterprise Server for SAP Applications, and Enterprise HPC. Patches have been released for some of the affected products, but SUSE is still working on addressing the bugs across its portfolio.
Ubuntu announced that kernel updates are in the works, without offering a specific availability timeline. While Red Hat Enterprise Linux releases 6 to 9 are impacted by CVE-2022-29900 and CVE-2022-29901, Red Hat has not offered a release date for patches, but says that Enterprise Linux 6 will remain unpatched.