Also, Intel Confirms Stability Problems For Some CPUs Following Firmware Update
In a reversal, chipmaker AMD is now warning that its chips are susceptible to the speculative execution flaws in microprocessors known as Spectre.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
The flaws were first announced publicly on Jan. 3 by Google Project Zero researchers, who last June shared vulnerability details with affected chipmakers Intel, AMD and ARM. “For a few Intel and AMD CPU models, we have exploits that work against real software,” the researchers reported.
But AMD last week responded: “Due to differences in AMD’s architecture, we believe there is a near zero risk to AMD processors at this time.”
On Thursday, however, AMD issued a statement saying that AMD processors are vulnerable to both variants of Spectre.
Two Attacks, Three Variants
What does that mean? Confusingly, Meltdown and Spectre refer to three connected attacks:
- Spectre: Refers to attack variant 1, a bounds check bypass (CVE-2017-5753), as well as variant 2, a branch target injection (CVE-2017-5715), which can be used to take advantage of CPU timing to read kernel memory;
- Meltdown: Refers to variant 3, which is a rogue data cache load (CVE-2017-5754) that can be used to read kernel memory.
For variant 1, AMD believes that bounds check bypass flaw can be addressed by an operating system fix and says it’s been working with OS vendors to make this happen. “Microsoft is distributing patches for the majority of AMD systems now,” AMD says.
For variant 2, AMD says it will be releasing “microcode” – firmware – updates and is working with operating system vendors to issue OS patches which together should mitigate the flaw. “AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week,” it says. “We expect to make updates available for our previous generation products over the coming weeks.”
Users should obtain the updates from their OEMs and OS vendors, AMD says.
Finally, for variant 3, aka Meltdown, AMD says its chips appear do appear to be susceptible “due to our use of privilege-level protections within paging architecture and no mitigation is required.”
Attack Variants and AMD’s Response
Linux, Windows Fixes Appear
Linux operating system vendors have already begun to patch their OS for AMD systems and updates for Microsoft Windows continue to get shipped, AMD says.
“We are also engaging closely with the Linux community on development of “return trampoline” – Retpoline – software mitigations,” it says, referring to a Google-developed fix for variant 2.
AMD has also clarified that its Radeon GPU architecture does not use speculative execution and thus is not at risk from Meltdown or Spectre.
Variant 2 Fixes Causing Slowdowns
The fact that CPUs from AMD are vulnerable to variant 2, however, is not good news.
That’s because Microsoft has warned that operating system fixes to address Spectre are slowing down systems, especially with older chipsets. “In general, our experience is that variant 1 and variant 3 mitigations have minimal performance impact, while variant 2 remediation, including OS and microcode, has a performance impact,” Terry Myerson, executive vice president for Microsoft’s Windows and devices group, said in a Tuesday blog post (see Performance Hit: Meltdown and Spectre Patches Slow Systems).
“With Windows 8 and Windows 7 on older silicon” as well as all Windows Servers installation, he said, “we expect most users to notice a decrease in system performance.”
Upcoming: Fixed Windows Updates for AMD
On Monday, Microsoft paused issuing security updates to systems with some older AMD chips after reports emerged that the Windows security fix, designed in part to mitigate the Meltdown and Spectre vulnerabilities, was leaving some systems unbootable (see Microsoft Pauses Windows Security Updates to AMD Devices).
On Thursday, AMD said the problem affects some older AMD processors – specifically its Opteron, Athlon and AMD Turion X2 Ultra families. It expects to see these patch incompatibilities get resolved and Microsoft to begin reissuing security updates to systems that use these chipsets by next week.
Intel: Patches Cause Some Problems
While AMD now says its chips must be updated to guard against Spectre, Intel still appears to be far more exposed to the flaws. Intel already faces multiple U.S. class action lawsuits filed over Meltdown and Spectre.
On Thursday, the Wall Street Journal reported that Intel has been quietly advising some of its customers to delay installing firmware patches, because the patches introduce new bugs that led to system instability.
Later that day, the head of Intel’s data center group, Navin Shenoy, confirmed the problems, which he said affect some older Intel CPUs – specifically, Broadwell and Haswell.
“We have received reports from a few customers of higher system reboots after applying firmware updates. Specifically, these systems are running CPUs for both client and data center,” Shenov said in a blog post.
He says Intel is still investigating the problems. “If this requires a revised firmware update from Intel, we will distribute that update through the normal channels,” he says. “End users should continue to apply updates recommended by their system and operating system providers.”
Microsoft Windows is not the only operating system that has faced hiccups when attempting to get Meltdown and Spectre fixes in place. Some Ubuntu Linux users have also reported having problems with their x86 systems after installing a Meltdown update.
Vendors Still Investigating
Vendors that develop operating systems, hardware and applications built on the vulnerable chipsets are continuing to explore how exposed their products and services might be to Meltdown and Spectre. As yet, there’s no full picture.
Oracle shipped a fix for Oracle Linux on Jan. 9 that includes the kernel page-table isolation – previously known as Kaiser – fix for Meltdown. Oracle didn’t immediately respond to a request for comment about the status of its other products based on affected chipsets.
Fujitsu has released a list of affected products and when it plans to release updated BIOS – firmware – code. Fujitsu says it’s continuing to update the list and that many of its products, including SPARC servers, remain under investigation.
Other affected vendors include Cisco, Dell, IBM and Juniper, among others.