Ethical Hacking News
Intel has been hit once again by a Spectre vulnerability, as researchers at ETH Zurich have discovered a way to exploit this flaw despite Intel's defenses. The discovery highlights the ongoing threat posed by these vulnerabilities, which can be used to break the security isolation between software.
RResearchers at ETH Zurich identified a class of security vulnerabilities called Branch Predictor Race Conditions (BPRC) that can be exploited around Intel's defenses against Spectre. Spectre is a set of hardware-level processor vulnerabilities that can be used to break the security isolation between software by exploiting speculative execution and branch prediction. A new Spectre v2 attack vector, dubbed Branch Privilege Injection (BPI), allows unprivileged code to inject branch predictions misclassified as kernel-level, enabling malicious programs to extract secrets from the kernel and other running applications. The researchers found that BPI can be carried out on several Spectre variants, including Spectre v2, which enables an attacker to manipulate indirect branch predictions across different privilege modes to read arbitrary memory. Intel has released a microcode update to address the flaw, but some chips, especially those from the 9th generation (Coffee Lake Refresh) onwards, are still vulnerable.
Researchers at ETH Zurich in Switzerland have made a groundbreaking discovery that sheds light on the persistent threat of Spectre vulnerabilities, a family of data-leaking flaws in Intel's processor designs. The researchers, led by Sandro Rüegge, Johannes Wikner, and Kaveh Razavi, identified a class of security vulnerabilities they call Branch Predictor Race Conditions (BPRC), which were found to be exploitable around Intel's defenses against Spectre.
Spectre refers to a set of hardware-level processor vulnerabilities identified in 2018 that can be used to break the security isolation between software. It does this by exploiting speculative execution - a performance optimization technique that involves the CPU anticipating future code paths (also known as branch prediction) and executing down those paths before they're actually needed. In practice, this means that malware running on a machine or a rogue logged-in user can potentially abuse Spectre flaws within vulnerable Intel processors to snoop on and steal data – such as passwords, keys, and other secrets – from other running programs or even from the kernel, the heart of the operating system itself.
The researchers found that branch predictors on Intel processors are updated asynchronously inside the processor pipeline, meaning there are potential race conditions - situations when two or more processes or threads attempt to access and update the same information concurrently, resulting in unpredictable behavior. They discovered a way around Intel's defenses against Spectre by exploiting situations where a processor switches privilege levels, such as from user to kernel, while branch predictor updates are still in flight. This misalignment allows predictions to be incorrectly tagged with elevated privileges.
The researchers crafted a new Spectre v2 attack vector, dubbed Branch Privilege Injection (BPI), which allows unprivileged code to inject branch predictions misclassified as kernel-level. BPI enables the classical Spectre v2 attack despite the eIBRS mitigation that was supposed to stop Spectre v2. The attack allows an attacker to manipulate indirect branch predictions across different privilege modes to read arbitrary memory; it effectively allows a malicious program to extract secrets from the kernel and other running applications.
There are several Spectre variants, but one of these, Spectre v2, enables an attacker to manipulate indirect branch predictions across different privilege modes to read arbitrary memory. This variant allows a malicious program to extract secrets from the kernel and other running applications. The researchers noted that this attack can be carried out to gain access to sensitive data in memory.
Intel has added various hardware-based defenses against these sorts of attacks over the years, including Indirect Branch Restricted Speculation (IBRS/eIBRS) for restricting indirect branch target prediction, a sanitizing technique called Indirect Branch Predictor Barrier (IBPB), and other microarchitectural speculation controls. However, the researchers found that BPI allows an attacker to inject branch predictions tagged with elevated privileges in user mode, which ignores the security guarantees of eIBRS and IBPB.
The researchers have seen some impact going back to 7th generation (Kaby Lake) processors. Intel has released a microcode update to address the flaw, citing it as CVE-2024-45332. The chipmaker's advisory resolves BPI, a vulnerability that Intel calls Indirect Branch Predictor Delayed Updates. All Intel x86 chips since the 9th generation (Coffee Lake Refresh) are affected, according to the researchers.
The researchers appreciate the work done by ETH Zurich on this research and collaboration on coordinated public disclosure. Intel is strengthening its Spectre v2 hardware mitigations and recommends customers contact their system manufacturer for the appropriate update. To date, Intel is not aware of any real-world exploits of transient execution vulnerabilities.
In conclusion, the discovery of Branch Predictor Race Conditions (BPRC) by researchers at ETH Zurich sheds light on the persistent threat of Spectre vulnerabilities, a family of data-leaking flaws in Intel's processor designs. The researchers found that BPI allows an attacker to inject branch predictions tagged with elevated privileges in user mode, which ignores the security guarantees of eIBRS and IBPB.
Related Information:
https://www.ethicalhackingnews.com/articles/Intels-Spectre-Vulnerabilities-A-Persistent-Threat-to-Data-Security-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/05/13/intel_spectre_race_condition/
https://nvd.nist.gov/vuln/detail/CVE-2024-45332
https://www.cvedetails.com/cve/CVE-2024-45332/
Published: Tue May 13 16:53:07 2025 by llama3.2 3B Q4_K_M
