AMD warns worrying new Spectre, Meltdown-esque flaw could affect top CPUs - here's what we know

News
By published

Four low-level flaws can be chained together, AMD warns

Meltdown and Spectre
(Image credit: Shutterstock)
  • AMD finds four flaws, separately low in severity, but powerful when combined
  • Together, they can be abused in information disclosure attacks
  • The list of affected devices is rather extensive, so be on your guard

AMD has discovered several security vulnerabilities affecting many of its chips can be chained together to create a concerning hack which could result in information disclosure.

The four vulnerabilities are tracked as CVE-2024-36349 (3.8), CVE-2024-36348 (3.8), CVE-2024-36357 (5.6), and CVE-2024-36350 (5.6). Together, they can be used in a so-called Transient Scheduler Attack (TSA), a side-channel, or timing-based attack that likely exploits transient scheduling decisions made by the CPU scheduler to leak information.

Since this is a side-channel attack that results in information disclosure, it is similar to the infamous Meltdown and Spectre flaws which dominated the security scene for months.

Updating the systems

Separately, the vulnerabilities were given relatively low severity scores, since the devices need to be compromised in advance, either by physical presence, or through malware, before they can be leveraged.

Furthermore, the TSA would need to be executed many times before any meaningful data could be extracted.

Here is how a theoretical attack would occur: A CPU expects load instructions to complete rather quickly. However, if there is a condition that prevents them from doing so, a “false completion” happens. Since the load didn’t complete, the data from the load is forwarded to dependent operations, affecting the timing of the instructions the CPU executes - something the attackers can observe.

The worst-case scenario is AMD chips leaking OS kernel information - but other applications or VMs could leak data as well.

A patch is already available, and AMD advised system admins to update to the latest Windows versions as soon as possible.

Those who are unable to install the patch quickly can implement a workaround involving a VERW instruction, but AMD has advised against it since it could reduce the performance of the system. In any case, the details about the mitigation can be found here.

The full list of all affected chips, including EPYC, Ryzen, Instinct, Ahtlon, and others, can be found in AMD’s advisory.

Via The Register

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.