Lucene search

K
certCERTVU:488902
HistoryMar 14, 2024 - 12:00 a.m.

CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions

2024-03-1400:00:00
www.kb.cert.org
22
cpu vulnerability
ghostrace
spectre v1
speculative execution
concurrency bugs
race conditions
transiently executed path
data disclosure
vendor recommendations
cve-2024-2193

AI Score

5.5

Confidence

High

EPSS

0

Percentile

15.5%

Overview

A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v1 are likely affected. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. Security researchers have labeled this variant of the Spectre v1 vulnerability β€œGhostRace", for ease of communication.

Description

Speculative execution is an optimization technique where a computer system performs some task preemptively to improve performance and provide additional concurrency as and when extra resources are available. However, these speculative executions leave traces of memory accesses or computations in the CPU’s cache, buffer, and branch predictors. Attackers can take advantage of these and, in some cases, also influence speculative execution paths via malicious software to infer privileged data that is part of a distinct execution. Attackers exploiting Spectre v1 take advantage of the speculative execution of conditional branch instructions used for memory access bounds checks. These are discussed in some amount of detail in the article Spectre Side Channels found at kernel.org. The earlier research did not include any of the speculative execution attacks using race conditions. Race conditions, generally considered part of concurrency bugs, occur when two or more threads attempt to access the same, shared resource without proper synchronization, which can create an opportunity for an attacker to trick a system into carrying out unauthorized actions in addition to its normal processes. This recent research explores a speculative race condition attack against the speculative execution facility of the modern CPUs.

In characteristics and exploitation strategy, an SRC vulnerability is similar to a classic race condition. However, it is different in that the attacker exploits said race condition on a transiently executed path originating from a mis-speculated branch (similar to Spectre v1), targeting a racy code snippet or gadget that ultimately discloses information to the attacker. Another major difference is that while classic race conditions are relatively infrequent in production code bases, speculative race conditions can be pervasive. Common synchronization primitives all exhibit no-op-like behavior on a transiently executed path, essentially causing any of the critical regions in victim software to become vulnerable. In practice, whether a particular critical region is actually exploitable or not depends on the characteristics of the resulting race condition, similar in some ways to the exploitation of the classic race condition.

Impact

An attacker with access to CPU resources may be able to read arbitrary privileged data or system registry values by utilizing the race condition, termed as speculative race condition.

Solution

Please update your software according to the recommendations from respective vendors with the latest mitigations available to address this vulnerability and its variants.

Acknowledgements

Thanks to Hany Ragab and Cristiano Giuffrida from the VUSec group at VU Amsterdam and Andrea Mambretti and Anil Kurmus from IBM Research Europe, Zurich for discovering and reporting this vulnerability, as well as supporting coordinated disclosure. This document was written by Dr. Elke Drennan, CISSP.

Vendor Information

488902

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

AMD __ Affected

Notified: 2024-01-17 Updated: 2024-03-14

Statement Date: March 01, 2024

CVE-2024-2193 Affected

Vendor Statement

AMD recommends following previously published guidance regarding Spectre type attacks (refer to the link in the reference section below). AMD believes the previous guidance remains applicable to mitigate this vulnerability.

References

Linux Foundation Affected

Notified: 2024-02-22 Updated: 2024-03-14

Statement Date: February 22, 2024

CVE-2024-2193 Affected

Vendor Statement

We have not received a statement from the vendor.

Red Hat Affected

Notified: 2024-01-30 Updated: 2024-03-14

Statement Date: February 15, 2024

CVE-2024-2193 Affected

Vendor Statement

We have not received a statement from the vendor.

Amazon Unknown

Notified: 2024-01-22 Updated: 2024-03-14 CVE-2024-2193 Unknown

Vendor Statement

We have not received a statement from the vendor.

ARM Limited Unknown

Notified: 2024-01-17 Updated: 2024-03-14 CVE-2024-2193 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell Unknown

Notified: 2024-01-17 Updated: 2024-03-14 CVE-2024-2193 Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Notified: 2024-02-15 Updated: 2024-03-14 CVE-2024-2193 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Unknown

Notified: 2024-01-17 Updated: 2024-03-14 CVE-2024-2193 Unknown

Vendor Statement

We have not received a statement from the vendor.

Intel Unknown

Notified: 2024-01-18 Updated: 2024-03-14 CVE-2024-2193 Unknown

Vendor Statement

We have not received a statement from the vendor.

Linux Kernel Unknown

Notified: 2024-01-17 Updated: 2024-03-14 CVE-2024-2193 Unknown

Vendor Statement

We have not received a statement from the vendor.

Xen Unknown

Notified: 2024-02-07 Updated: 2024-03-14 CVE-2024-2193 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 11 vendors __View less vendors __

References

Other Information

CVE IDs: CVE-2024-2193
API URL: VINCE JSON
Date Public: 2024-03-14 Date First Published: