Editor’s Note: This story was updated on November 17 with a comment from Intel.
Security pros generally agree that teams should immediately patch the high-severity (8.8 CVSS) CPU bug that Intel released a fix for on Nov. 14.
It was widely reported Tuesday that if left unpatched, the vulnerability — CVE-2023-23583 — could result in the taking down of the hypervisors sitting in servers on cloud hosts.
Those worried about a mass case of “Blue Screen of Death” hitting cloud servers might be disappointed.
“While this CPU bug can devastate a multi-tenant environment by creating a DDoS situation, the reality is that through Intel pushing microcode updates, this vulnerability is easily mitigated,” said John Gallagher, vice president of Viakoo Labs. “Of course this is only true of organizations that keep their BIOS, OS, and drivers updated to the latest versions, but for multi-tenant data center environments this should be the norm.”
A spokesperson for Intel said while the chipmaker is not aware of any active attacks using this vulnerability, affected platforms have an available mitigation via a microcode update.
“Intel discovered this issue internally and was already preparing the ecosystem to release a mitigation through our well-documented Intel Platform Update process,” said the Intel spokesperson. “At the request of customers, including OEMs and cloud service providers, this process typically includes a validation, integration, and deployment window after Intel deems the patch meets production quality, and helps ensure that mitigations are available to all customers on all supported Intel platforms when the issue is publicly disclosed.”
Richard Taylor, co-founder and CTO, Approov Mobile Security, said while it’s possible that attackers could take down a series of cloud hosts, the attacker would need to get their code running on each core. Taylor added that he hopes affected cloud providers would have already patched prior to this disclosure.
“If this bug wasn't patchable then it would indeed be very bad,” said Taylor. “Overall, it’s more of a question of whether this can be exploited in a more controlled fashion to leak data via a privilege escalation. It sounds like that would require a much deeper understanding of the internals and what specifically is going wrong, but there have been cases in the past where this has been painstakingly reverse engineered just via observation, so it may be possible.”
"Reptar" flaw affects all modern Intel CPUs
The flaw, dubbed "Reptar," affects all modern Intel CPUs and was discovered by a team of Google researchers. The researchers said the flaw causes the chips to “enter a glitch state where the normal rules don’t apply.”
“We believe this bug causes the frontend to miscalculate the size of the "movsb" instruction, causing subsequent entries in the ROB (reorder buffer) to be associated with incorrect addresses,” wrote the Google researchers. When this happens, the CPU enters a confused state that causes the instruction pointer to be miscalculated.
The researchers went on to say that while the machine can eventually recover from this state, if they cause multiple cores to enter the state simultaneously, they could “cause enough microarchitectural state corruption to force a machine check.”
“I think what's most striking about this one is that it is an actual functional bug in the CPU, which is a surprisingly unusual occurrence,” said Approov’s Taylor. “This is impressive given the byzantine complexity of modern CPUs, especially CISC cores like x86. The good news is that it's fixed with a microcode update, but the fact that this is all implemented in microcode at all (a sort of private assembly language underneath the public assembly language) demonstrates how complicated it all is.”
Viakoo’s Gallagher said that side-channel attacks where more esoteric aspects of CPU architecture can be exploited to create DDoS conditions like this one, or divulge memory contents, seem to be on the rise. Similar to software supply chain vulnerabilities, Gallagher said the vast number of CPUs out there make for a very attractive attack surface.
“Unlike software supply chain issues (or IoT security issues), fixing side-channel vulnerabilities is much easier because there have always been automated methods to update all aspects of CPU operations,” Gallagher noted.
