Security vulnerabilities found in Intel and AMD processors

Topic

New Reply

https://www.ghacks.net/2022/08/10/security-vulnerabilities-found-in-intel-and-amd-processors/

Security researchers have discovered vulnerabilities in Intel and AMD processors that may lead to information disclosure.

Most Intel 10th, 11th and 12th generation processors are affected by a new vulnerability that the researchers have named ÆPIC Leak. The vulnerability is an architectural bug according to the researchers, which sets it apart from Spectre and Meltdown vulnerabilities that have haunted Intel and AMD in the past years.

AMD Zen 2 and 3 processors are affected by a security vulnerability that the researches named SQUID. It is a side channel attack that is targeting CPU schedulers.

The vulnerability requires root or administrative level access to the machine to exploit the vulnerability. Most home systems should be safe because of that, but it is still recommended to install updates once they become available.

Intel Security Advisory

Intel list of affected processors

Intel reveals on the 2022.2 IPU – Intel® Processor Advisory support page that customers should install the latest firmware versions provided by the system manufacturer to address the issue. Intel plans to release SGX SDK updates once the public embargo is lifted.

Intel has released microcode updates for affected processors that are already available on the company’s public GitHub repository.

AMD processors affected by SQUIP vulnerability

..AMD does not plan to release any kernel mitigations or microcode updates for affected processors. Instead, the company offers the following recommendation:

AMD recommends software developers employ existing best practices1,2, including constant-time algorithms and avoiding secret-dependent control flows where appropriate to help mitigate this potential vulnerability…

4 users thanked author for this post.

lmacri, rta3, oldfry, Fred

Reply | Quote

Replies

Intel generation 10’s first line of CPUs, according to my Web-based research into this, correct me if I am wrong, first came out in August 2019.

https://en.wikipedia.org/wiki/Comet_Lake_(microprocessor)#:~:text=Intel%20announced%20low-power%20mobile%20Comet%20Lake-U%20CPUs%20on,as%20the%20Intel%20%2210th%20Generation%20Core%22%20family.%20

So any desktop or laptop newer than this has a gen 10, 11 or 12 CPU and there could be some risk of it being trouble (potentially).  But it looks like Intel is fixing or has fixed this:

As quoted by Alex: “Intel has released microcode updates for affected processors that are already available on the company’s public GitHub repository.”

AMD seems to be doing nothing itself, letting the developers take care of this.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

oldfry, Fred

Reply | Quote

Disturbing

.

* _ the metaverse is poisonous _ *

1 user thanked author for this post.

Alex5723

Reply | Quote

Looking at the Intel affected processors, it looks like most are affected even those on 4-5 year old desktops.

As for most home users not being affected that is IF they are ignorant computer users. Those that run as Admin ARE affected and that would include myself and most readers of this site.

Intel says to go to the computer manufacturer for any firmware fixes for Windows computers.

Reply | Quote

The CPU ÆPIC Leak is architectural, although a software implementation similar to meltdown/ spectre patches could possibly be an option for affected CPU’s in time…?
Steve Gibson (GRC) to the rescue with an ‘InSpectre’ type utility again?

No problem can be solved from the same level of consciousness that created IT- AE

Reply | Quote

Hi Alex5723:

Thanks for the heads up.

My 8th gen Intel i5-8265U CPU is listed (twice) on the 2018-2021 tab of Affected Processors: Transient Execution Attacks & Related Security Issues by CPU so the comment in the ghacks.net article Security Vulnerabilities Found in Intel and AMD Processors that “Most Intel 10th, 11th and 12th generation processors are affected by a new vulnerability that the researchers have named ÆPIC Leak” is a bit misleading.
———-
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Intel i5-8265U CPU * 8 GB RAM * 256 GB Toshiba KBG40ZNS256G NVMe SSD, Intel UHD Graphics 620

Reply | Quote

lmacri wrote:

Most Intel 10th, 11th and 12th generation processors are affected by a new vulnerability that the researchers have named ÆPIC Leak

That is exactly what the researchers claim.

Does your CPU rely on SGX ?

..systems relying on SGX to protect data from privileged attackers would be at risk, thus, have to be patched.

..ÆPIC Leak works on all recent SunnyCove-based Intel CPUs (i.e., Ice Lake and Alder Lake)..

Reply | Quote

Alex5723 wrote:

Does your CPU rely on SGX ?

Hi Alex5723:

According to the Security & Reliability section of the specs <here> for my 8th gen i5-8265U processor the status of Intel Software Guard Extensions (Intel SGX) is “Yes with Intel ME” (see attached image). I have no idea if that’s why Intel included my CPU on the list of affected products on the 2018-2021 tab of their Affected Processors: Transient Execution Attacks & Related Security Issues by CPU .
—————
Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Intel i5-8265U CPU * 8 GB RAM * 256 GB Toshiba KBG40ZNS256G NVMe SSD * Intel UHD Graphics 620

Reply | Quote

Imacri: “I have no idea if that’s why Intel included my CPU on the list of affected products”

Indeed. Mine is a Haswell i7-4870HQ and I just checked at Intel (*), in case it is weirdly also afflicted, although it is gen. 4 and came out in 2014, well before those of gen. 10 (in 2019), that are supposed to be the oldest affected.

Result of the check: mine is unaffected, as it should be.

(*) If you know the processor’s name, open a browser and enter it in a search engine you use (e.g. DuckDuckGo, Google), hit Return and that will take you to the Intel page with full information on your processor.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

lmacri wrote:

According to the Security & Reliability section of the specs for my 8th gen i5-8265U processor the status of Intel Software Guard Extensions (Intel SGX) is “Yes with Intel ME” (see attached image). I have no idea if that’s why Intel included my CPU on the list of affected products

My 9th generation i7-9700K also shows Intel Software Guard Extensions (Intel SGX) as “Yes with Intel ME” but it’s listed as Not Affected in their Affected Processors list.

That would seem to indicate the problem involves something other than just “does your CPU use SGX.”

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

@Imacri, bear in mind the new ÆPIC Leak being discussed in this thread is CVE-2022-21233.

The CPU’s affect by it are shown on the 2022 tab of Intel’s Affected Processors list not the 2018-2021 tab.

The 2018-2021 tab covers older CPU bugs such as Meltdown, Spectre, etc.

1 user thanked author for this post.

lmacri

Reply | Quote

Just another Forum Poster wrote:

The CPU’s affect by it are shown on the 2022 tab of Intel’s Affected Processors list not the 2018-2021 tab. The 2018-2021 tab covers older CPU bugs such as Meltdown, Spectre, etc.

Hi alejr:

Does that mean that none of the processors on the 2018-2021 tab of Intel’s Affected Processors: Transient Execution Attacks & Related Security Issues by CPU are affected by new ÆPIC vulnerability (CVE-2022-21233), and all of the processors on the 2022 tab are affected? For example, is there some notation in the Stepping column of that support article that specifically denotes which CPUs are vulnerable to the ÆPIC vulnerability (CVE-2022-21233)?

If none of the CPUs on 2018-2020 tab of that support article are vulnerable then it would have been less confusing if Intel had created a separate support article listing the 10th gen to 12th gen processors specifically affected by the new ÆPIC vulnerability. As shown in your image in post #2469878, the Intel Security Advisory INTEL-SA-00657 for CVE-2022-21233 has a link under Affected Products that says “Consult this list of affected products here“, which lands users on the 2018-2021 tab of Affected Processors: Transient Execution Attacks & Related Security Issues by CPU.

————–
[Dell Inspiron 5584 * 64-bit Win 10 Pro v21H2 build 19044.1889 * Intel i5-8265U CPU * 8 GB RAM * 256 GB Toshiba KBG40ZNS256G NVMe SSD * Intel UHD Graphics 620

Reply | Quote

lmacri wrote:

Does that mean that none of the processors on the 2018-2021 tab of Intel’s Affected Processors: Transient Execution Attacks & Related Security Issues by CPU are affected by new ÆPIC vulnerability (CVE-2022-21233), and all of the processors on the 2022 tab are affected?

Absolutely not, the same CPU can be listed on both tabs!

The two different tabs cover the specific year/years an issue was discovered and the ÆPIC vulnerability was discovered this year so it won’t be listed in the 2018-2021 tab.

Also, each tab lists “multiple” different security issues for each CPU so you must look at the column header to determine whether a particular CPU is affected by a particular problem or not.

Note: you can use the search function located immediately above the table to narrow the results to a particular CPU.

Reply | Quote