Tavis Ormandy, a security researcher at Google, has identified a new vulnerability (CVE-2023-23583) in Intel processors, codenamed Reptar, which is mainly dangerous for cloud systems running virtual machines of different users. The vulnerability can cause the system to freeze or crash when performing certain operations on unprivileged guest systems. To test your systems, a utility has been published that creates conditions for vulnerability detection.
Theoretically, the vulnerability can be used to raise privileges from the third to zero protection ring (CPL0) and exit isolated environments, but this scenario has not yet been confirmed in practice due to difficulties in debugging at the microarchitectural level. An internal audit at Intel also revealed the potential for exploiting the vulnerability to elevate privileges under certain conditions.
According to the researcher, the vulnerability is present in the Intel Ice Lake, Rocket Lake, Tiger Lake, Raptor Lake, Alder Lake and Sapphire Rapids processor families. The Intel report mentions that the problem occurs starting with the 10th generation (Ice Lake) of Intel Core processors and the third generation Xeon Scalable, as well as in Xeon E/D/W processors (Ice Lake, Skylake, Haswell, Broadwell, Skylake, Sapphire Rapids, Emerald Rapids, Cascade Lake, Cooper Lake, Comet Rocket Lake) and Atom (Apollo Lake, Jasper Lake, Arizona Beach, Alder Lake, Parker Ridge, Snow Ridge, Elkhart Lake, and Denverton). The vulnerability in question was fixed in yesterday's microcode update 20231114.
The vulnerability is caused by the fact that execution of the "REP MOVSB" instruction encoded with the redundant "REX" prefix leads to undefined behavior. The problem was identified during testing of redundant prefixes, which in theory should be ignored, but in practice led to strange effects, such as ignoring unconditional jumps and violating pointer storage in xsave and call instructions. Further analysis showed that adding an excessive prefix to the "REP MOVSB" instruction causes corruption of the contents of the ROB (ReOrder Buffer) buffer used for ordering instructions.
It is assumed that the error is caused by an incorrect calculation of the size of the "MOVSB" instruction with an excess prefix, which leads to a violation of the addressing of instructions written to the ROB buffer after MOVSB, and an offset of the instruction pointer. Such out-of-sync may be limited to breaking intermediate calculations and then restoring a complete state. However, if you cause a failure on multiple cores or SMT threads at the same time, you can achieve sufficient damage to the microarchitectural state for an emergency shutdown.
Theoretically, the vulnerability can be used to raise privileges from the third to zero protection ring (CPL0) and exit isolated environments, but this scenario has not yet been confirmed in practice due to difficulties in debugging at the microarchitectural level. An internal audit at Intel also revealed the potential for exploiting the vulnerability to elevate privileges under certain conditions.
According to the researcher, the vulnerability is present in the Intel Ice Lake, Rocket Lake, Tiger Lake, Raptor Lake, Alder Lake and Sapphire Rapids processor families. The Intel report mentions that the problem occurs starting with the 10th generation (Ice Lake) of Intel Core processors and the third generation Xeon Scalable, as well as in Xeon E/D/W processors (Ice Lake, Skylake, Haswell, Broadwell, Skylake, Sapphire Rapids, Emerald Rapids, Cascade Lake, Cooper Lake, Comet Rocket Lake) and Atom (Apollo Lake, Jasper Lake, Arizona Beach, Alder Lake, Parker Ridge, Snow Ridge, Elkhart Lake, and Denverton). The vulnerability in question was fixed in yesterday's microcode update 20231114.
The vulnerability is caused by the fact that execution of the "REP MOVSB" instruction encoded with the redundant "REX" prefix leads to undefined behavior. The problem was identified during testing of redundant prefixes, which in theory should be ignored, but in practice led to strange effects, such as ignoring unconditional jumps and violating pointer storage in xsave and call instructions. Further analysis showed that adding an excessive prefix to the "REP MOVSB" instruction causes corruption of the contents of the ROB (ReOrder Buffer) buffer used for ordering instructions.
It is assumed that the error is caused by an incorrect calculation of the size of the "MOVSB" instruction with an excess prefix, which leads to a violation of the addressing of instructions written to the ROB buffer after MOVSB, and an offset of the instruction pointer. Such out-of-sync may be limited to breaking intermediate calculations and then restoring a complete state. However, if you cause a failure on multiple cores or SMT threads at the same time, you can achieve sufficient damage to the microarchitectural state for an emergency shutdown.
