New Intel CPU errors lick sensitive data from the privileged memory

With a new “Branch Privilege Injection” error in all modern Intel CPUs, attackers can expire sensitive data from memory regions that are assigned to privileged software such as the kernel of the operating system.

As a rule, these regions are populated with information such as passwords, cryptographic keys, memory of other processes and core data structures. It is therefore crucial to protect them from leaks.

According to ETH -Zurich researchers Sandro Rüegge, Johannes Wikner and Kaveh Razavi, Specter V2 reductions that were held for six years, use them.

The error referred to as the “branch privilege injection” and pursued according to CVE-2024-45332 is a breed condition for the subsystem of the bangers used in Intel CPUs.

Two -ribbons such as Branch Target Buffer (BTB) and Indirect Branch Predictor (IBP) are special hardware components who try to guess the result of a branch in front of it before it is dissolved to keep the CPU pipeline fully.

These predictions are speculative, which means that they are reversed when they are wrong. However, if you are correct, this increases the performance.

The researchers found that Intel -Branch predictor -updates are not synchronized with the instructions, which leads to these updates that carry out privileges.

If a authorization switch takes place as from the user mode to the kernel mode, there is a small window of the possibility in which the update with the wrong privilege is assigned.

As a result, the isolation between the user and kernel is interrupted, and a non -privileged user can exchange data from privileged processes.

The ETH Zurich team developed an exploit that trains the CPU to predict a certain branch and then calls a system to move the execution to the OS-Kernel, which leads to a speculative execution with the goal controlled by attackers (“gadget”).

This code accesses secret data that is loaded into the cache. With the help of a side channel method, the content is forwarded to the attacker.

The researchers demonstrated their attack on Ubuntu 24.04 with standard reductions to read the content of the file '/etc/shadow/' with hashed account expertise. The exploit can achieve pointed leaks of 5.6 kb/s with an accuracy of 99.8%.

https://www.youtube.com/watch?v=jrsovan7paa

Impact and corrections

CVE-2024-45332 affects all ninth generation Intel CPUs, including Coffee Lake, Comet Lake, Rocket Lake, Alder Lake and Raptor Lake.

“All Intel processors since the 9th generation (Coffee Lake Refresh) have been affected by the injection of industries privileges,” explains the researchers.

“However, we have observed predictions that deal the indirect industry forecast (IBPB) for processors up to the 7th generation (Kaby Lake).”

ETH-Zurich researchers have not tested older generations at this point, but since they do not support improved indirect industry speculation (Eibr), they are less relevant for this specific exploit and probably more susceptible to older specters-like attacks.

ARM Cortex-X1, Cortex-A76 and AMD Zen 5 and Zen 4 chips have also been examined, but they do not have the same asynchronous predictor behavior, so that they are not susceptible to CVE-2024-45332.

Although the attack on Linux has been demonstrated, the error is available on the hardware level, so that it can also be used in Windows.

The researchers reported on their results at Intel in September 2024, and the tech giant published microcode updates that reduce CVE 2024-45332 for affected models.

The reductions at firmware level introduce 2.7% power expenditure, while software reductions have a performance between 1.6% and 8.3% depending on the CPU.

The risk is low for regular users, and attacks have several strong prerequisites for opening realistic exploitation scenarios. Apart from this, it is recommended to apply the latest BIOS/UEFI and OS updates.

ETH Zurich will present the complete details of her exploit in a technical paper on the upcoming Usenix Security 2025.

Bleeping computer contacted Intel to determine whether advice is published today and will update the article with an answer.