Anyone still considering whether to update to 64-bit Linux kernels (opens in new tab) now has another big motivation after it was revealed 32-bit editions won’t be getting a major security fix.
Intel’s Pawan Gupta recently took to the lore.kernel.org mailing list to answer customer questions, one of which concerned the fix to Retbleed for 32-bit OS’.
"Intel is not aware of production environments that use 32-bit mode on Skylake-gen CPUs. So this should not be a concern.” Intel’s Peter Zijlstra chimed in to add: "Yeah, so far nobody cared to fix 32-bit. If someone *realllllly* cares and wants to put the effort in I suppose I'll review the patches, but seriously, you shouldn't be running 32-bit kernels on Skylake / Zen based systems, that's just silly."
Retbleed is the latest speculative execution attack, and a variant of the dreaded Spectre vulnerability that was discovered back in 2018. It is tracked as CVE-2022-29900 and CVE-2022-29901, and has already been fixed for the 64-bit versions.
Earlier this month, two researchers from ETH Zurich discovered it allows abusers access to kernel memory, and given the nature of the flaw, fixing it also means slowing the chips down. “When computers execute special calculation steps to compute faster, they leave traces that hackers could abuse,” the researchers said.
These traces can be exploited, the researchers further found, giving threat actors unauthorized access to any information in the target endpoint (opens in new tab), which includes encryption keys, passwords, and other secrets.
> Here's another good reason never to use cracked software (opens in new tab)
> Linux kernel team has conquered Retbleed, Torvalds says (opens in new tab)
> Keep your devices safe with the best antivirus solutions right now (opens in new tab)
The flaw is particularly risky in cloud environments, the researchers further said, where multiple companies share the same systems. In other words, one vulnerability could expose the secrets of multiple companies.
The National Center for Cyber Security in Bern, Switzerland considers the vulnerability serious because the affected processors are in use worldwide, the researchers sad.
- Looking for penguin-powered computing? We have the best Linux laptops (opens in new tab) lined up right here
Via: Tom's Hardware (opens in new tab)