A potential security vulnerability in some Intel® Processors may allow information disclosure. Intel is releasing prescriptive guidance to address this potential vulnerability.
Description: Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.
CVSS Base Score: 5.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Root Cause Summary: Hardware structures shared across execution contexts (return predictor targets) can violate the expected architecture isolation between contexts.
Some Intel® Processors, consult this list of affected products here.
Intel documents indirect branch prediction target isolation properties as part of the Indirect Branch Restricted Speculation (IBRS) and Indirect Branch Predictor Barrier (IBPB) capabilities. On some processors, two cases have been identified that do not fully isolate targets used for RET prediction. In one case, the address following the most recent CALL before an IBPB may be used under certain circumstances as the predicted target of a RET executed after the barrier. Since an attacker will generally not control the last CALL instruction executed before the IBPB, Intel does not believe that any typical usage of IBPB will require mitigation for this issue.
In the second case, the address following the most recent CALL in guest mode before a VM exit event may be used under certain circumstances as the predicted target of a RET executed in the host. This may be true even when eIBRS is employed. Some VMM software may not be affected, or may already be executing an “RSB stuffing” sequence after VM exit. In other situations, Intel has worked with VMM vendors to create a software mitigation sequence to be used after VM exit where applicable. Intel recommends that affected Intel® Processors that use a Virtual Machine Manager (VMM), should check with their VMM vendor to determine the status of the fix.
Please refer to technical paper here for additional Post-barrier RSB prediction recommendation.
The following issues were found internally by Intel employees. Intel would like to thank Pawan Kumar Gupta, Alyssa Milburn, Amit Peled, Shani Rehana, Nir Shildan and Ariel Sabba.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.