Intel has fixed a high-severity flaw found in most of today’s CPUs which could have been used to crash endpoints and escalate privileges on cloud devices.
While Intel does this on a daily basis, this time it’s different. That’s because this time, the flaw made the CPU “enter a state where normal rules don’t apply”. The CPU would glitch out entirely, and the benchmark would give results that simply shouldn’t be possible.
The researcher who first discovered and reported on the flaw, Google’s Travis Ormandy, called it a “CPU mystery”. The flaw is now dubbed Reptar, and can be tracked as CVE-2023-23583.
Security implications
In a blog post in which he detailed the flaw, Ormandy said the bug was found when the CPU tries to manage prefixes. In a gross oversimplification of things, when a programmer wants to move memory on x86, they create an instruction. When they want to change how the instruction works, they use prefixes.
Some prefixes don’t make sense in a given context, and Intel built their CPUs to ignore them without consequence. However, last summer, Ormandy observed the REX prefix generating “unexpected results”, when running on CPUs with a relatively new feature known as “fast short repeat move”. This feature was first added in the Ice Lake architecture, to fix microcoding bottlenecks, ArsTechnica reported.
When a redundant rex.r prefix was added to the FSRM-optimized rep mov operation, here’s what happens: “For example, branches to unexpected locations, unconditional branches being ignored and the processor no longer accurately recording the instruction pointer in xsave or call instructions,” Ormandy wrote. “Oddly, when trying to understand what was happening we would see a debugger reporting impossible states!”
But the real red flag was waved when the researchers verified the bug inside an unprivileged guest VM, “so this already has serious security implications for cloud providers”.
Intel said that it was already aware of a “functional bug” in older CPU platforms, and with a severity score of 5/10, gave itself a March deadline to fix the issue. However, with these new findings concluding that the bug could be used for escalation of privilege, the flaw got an updated severity score of 8.8, forcing Intel to push the update sooner.
The full list of affected CPUs can be found here.
