Technology

AMD warns about new temporary scheduler attacks affecting a wide range of CPUs

7 Min Read
7 Min Read
AMD Transient Scheduler Attacks

Semiconductor Company AMD warns of a new set of vulnerabilities affecting a wide range of chipsets that could lead to information disclosure.

A flaw, collectively known as transient scheduler attacks (TSAs), manifests in the form of a speculative side channel of a CPU that takes advantage of the timing of execution of instructions under specific microarchitecture conditions.

“In some cases, attackers can use this timing information to infer data from other contexts, which can lead to information leakage,” AMD said in its advisory.

The company said the issue was revealed as part of a study published by Microsoft and ETH Zurich researchers on stress testing the separation between security domains such as virtual machines, kernels and processes, to test modern CPUs against speculative execution attacks such as meltdowns and predictions.

Following the responsible disclosure in June 2024, the issue is assigned to the following CVE Identifiers –

  • CVE-2024-36350 (CVSS score: 5.6) – A temporary execution vulnerability in some AMD processors allows an attacker to infer data from previous stores, potentially causing privileged information leaks
  • CVE-2024-36357 (CVSS Score: 5.6) – A temporary execution vulnerability in some AMD processors allows an attacker to infer data in the L1D cache, potentially causing sensitive information to leak across privileged boundaries.
  • CVE-2024-36348 (CVSS score: 3.8) – Transient execution vulnerabilities in some AMD processors allow user processes to speculatively infer control registrations even when the UMIP(3) feature is enabled, potentially causing information leaks
  • CVE-2024-36349 (CVSS score: 3.8) – A temporary execution vulnerability in some AMD processors allows user processes to infer TSC_AUX even if such reads are disabled, which could lead to information leakage

AMD describes the TSA as a “new class of speculative side channels” that affects the CPU, saying it has released microcode updates for the affected processors.

  • 3rd Generation AMD EPYC Processor
  • 4th Generation AMD EPYC Processor
  • AMD Instinct MI300A
  • AMD Ryzen 5000 Series Desktop Processor
  • AMD Ryzen 5000 Series Desktop Processor with Radeon Graphics
  • AMD Ryzen 7000 Series Desktop Processor
  • AMD Ryzen 8000 Series Processor with Radeon Graphics
  • AMD Ryzen Threadripper Pro 7000 WX Series Processor
  • AMD Ryzen 6000 Series Processor with Radeon Graphics
  • AMD Ryzen 7035 Series Processor with Radeon Graphics
  • AMD Ryzen 5000 Series Processor with Radeon Graphics
  • AMD Ryzen 7000 Series Processor with Radeon Graphics
  • AMD Ryzen 7040 Series Processor with Radeon Graphics
  • AMD Ryzen 8040 Series Mobile Processor with Radeon Graphics
  • AMD Ryzen 7000 Series Mobile Processor
  • 7003 with AMD EPY embedded
  • 8004 with AMD EPY embedded
  • 9004 with AMD EPY embedded
  • 97×4 with AMD EPY embedded
  • AMD Ryzen Embedded 5000
  • AMD Ryzen Embedded 7000
  • AMD Ryzen Embedded V3000
See also  Apple 0-Days, WinRAR Exploit, LastPass fines, .NET RCE, OAuth fraud, and more

The company also noted that instructions to read data from memory can experience what is called “mis-completion.” This occurs when the CPU hardware expects the load instruction to complete quickly, but there are conditions in place to prevent it from happening –

In this case, the dependent operation may be scheduled to be performed before false completion is detected. Data related to that load is considered invalid because the load was not actually completed. The package is rerun to complete successfully later, and the dependent operations rerun valid data when ready.

Unlike other speculative behaviors such as forwarding forecast stores, experiencing false completions does not result in the final pipeline flash. Invalid data associated with an incorrect completion may be transferred to operations that rely on operations that consume this data, but will not attempt to retrieve data or update cache or TLB state. Therefore, this invalid data value cannot be inferred using standard transient side channel methods.

However, on TSA-affected processors, invalid data can affect the timing of other instructions executed by the CPU in a way that an attacker can detect.

Chipmaker said it has identified two variants, TSA, TSA-L1 and TSA-SQ, based on either the L1 data cache or the CPU store queue, based on the source of invalid data associated with incorrect completion.

In the worst case scenario, successful attacks performed using TSA-L1 or TSA-SQ flaws can lead to user applications from the operating system kernel, to guest virtual machines from the hypervisor, or to information leakage between two user applications.

See also  RACCOONO365 Phishing Network is dismantled as Microsoft, CloudFlare defeats 338 domains

TSA-L1 is caused by an error in how the L1 cache uses microtags for data cache lookup, but a TSA-SQ vulnerability arises when data that requires a Load instruction is incorrectly retrieved from the CPU store queue when data is not yet available. In either case, an attacker can infer the data used by the old store, even if it resides in the L1 cache, or if the old store runs in a different context.

That said, to exploit these flaws, an attacker must have the ability to gain malicious access to the machine and execute arbitrary code. It is not exploitable through malicious websites.

“The conditions required to exploit TSA are usually temporary, as both the microtag and store queues are updated after the CPU detects an incorrect completion,” AMD said.

“As a result, to ensure data removal, an attacker would normally need to be able to call the victim multiple times and create conditions for false completion repeatedly. This is possible if the attacker and the victim have existing communication paths, such as the application and the OS kernel.”

Share This Article
Leave a comment

Follow US

POPULAR