A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v1 are likely affected. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. Security researchers have labeled this variant of the Spectre v1 vulnerability βGhostRace", for ease of communication.
Speculative execution is an optimization technique where a computer system performs some task preemptively to improve performance and provide additional concurrency as and when extra resources are available. However, these speculative executions leave traces of memory accesses or computations in the CPUβs cache, buffer, and branch predictors. Attackers can take advantage of these and, in some cases, also influence speculative execution paths via malicious software to infer privileged data that is part of a distinct execution. Attackers exploiting Spectre v1 take advantage of the speculative execution of conditional branch instructions used for memory access bounds checks. These are discussed in some amount of detail in the article Spectre Side Channels found at kernel.org. The earlier research did not include any of the speculative execution attacks using race conditions. Race conditions, generally considered part of concurrency bugs, occur when two or more threads attempt to access the same, shared resource without proper synchronization, which can create an opportunity for an attacker to trick a system into carrying out unauthorized actions in addition to its normal processes. This recent research explores a speculative race condition attack against the speculative execution facility of the modern CPUs.
In characteristics and exploitation strategy, an SRC vulnerability is similar to a classic race condition. However, it is different in that the attacker exploits said race condition on a transiently executed path originating from a mis-speculated branch (similar to Spectre v1), targeting a racy code snippet or gadget that ultimately discloses information to the attacker. Another major difference is that while classic race conditions are relatively infrequent in production code bases, speculative race conditions can be pervasive. Common synchronization primitives all exhibit no-op-like behavior on a transiently executed path, essentially causing any of the critical regions in victim software to become vulnerable. In practice, whether a particular critical region is actually exploitable or not depends on the characteristics of the resulting race condition, similar in some ways to the exploitation of the classic race condition.
An attacker with access to CPU resources may be able to read arbitrary privileged data or system registry values by utilizing the race condition, termed as speculative race condition.
Please update your software according to the recommendations from respective vendors with the latest mitigations available to address this vulnerability and its variants.
Thanks to Hany Ragab and Cristiano Giuffrida from the VUSec group at VU Amsterdam and Andrea Mambretti and Anil Kurmus from IBM Research Europe, Zurich for discovering and reporting this vulnerability, as well as supporting coordinated disclosure. This document was written by Dr. Elke Drennan, CISSP.
488902
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2024-01-17 Updated: 2024-03-14
Statement Date: March 01, 2024
CVE-2024-2193 | Affected |
---|
AMD recommends following previously published guidance regarding Spectre type attacks (refer to the link in the reference section below). AMD believes the previous guidance remains applicable to mitigate this vulnerability.
Notified: 2024-02-22 Updated: 2024-03-14
Statement Date: February 22, 2024
CVE-2024-2193 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2024-01-30 Updated: 2024-03-14
Statement Date: February 15, 2024
CVE-2024-2193 | Affected |
---|
We have not received a statement from the vendor.
Notified: 2024-01-22 Updated: 2024-03-14 CVE-2024-2193 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-17 Updated: 2024-03-14 CVE-2024-2193 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-17 Updated: 2024-03-14 CVE-2024-2193 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-02-15 Updated: 2024-03-14 CVE-2024-2193 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-17 Updated: 2024-03-14 CVE-2024-2193 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-18 Updated: 2024-03-14 CVE-2024-2193 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-01-17 Updated: 2024-03-14 CVE-2024-2193 | Unknown |
---|
We have not received a statement from the vendor.
Notified: 2024-02-07 Updated: 2024-03-14 CVE-2024-2193 | Unknown |
---|
We have not received a statement from the vendor.
View all 11 vendors __View less vendors __
CVE IDs: | CVE-2024-2193 |
---|---|
API URL: | VINCE JSON |
Date Public: | 2024-03-14 Date First Published: |
kb.cert.org/vuls/id/180049
vuls.cert.org/confluence/display/Wiki/Vulnerabilities+Associated+with+CPU+Speculative+Execution
www.commerce.senate.gov/2018/7/complex-cybersecurity-vulnerabilities-lessons-learned-from-spectre-and-meltdown
www.economist.com/business/2018/01/11/spectre-and-meltdown-prompt-tech-industry-soul-searching