Security News > 2020 > March > AMD Downplays CPU Threat Opening Chips to Data Leak Attacks

AMD is seeking to downplay side-channel attacks that can leak potentially sensitive data from its processors released between 2011 and 2019.

AMD this weekend said it does not believe these are "New speculation-based attacks" and did not offer any mitigations: "We are aware of a new white paper that claims potential security exploits in AMD CPUs, whereby a malicious actor could manipulate a cache-related feature to potentially transmit user data in an unintended way," said AMD in a Saturday advisory.

In reverse engineering the L1D cache way predictor, researchers were able to detect when the data is accessed by various processes -and then use that knowledge to leak small pieces of data from the CPU. Researchers then created to two subset attacks as part of "Take A Way" that took advantage of this process, which they dubbed "Collide+Probe" and "Load+Reload.".

The "Take A Way" attack is similar to other side-channel attacks released in the past few years, starting with the disclosure of Spectre and Meltdown in 2018 and continuing with the discovery of a class of side channel vulnerabilities called "ZombieLoad," that impacted all modern Intel chips and used speculative execution to potentially leak sensitive data from a system's CPU. On Twitter, Gruss, said that the latest speculative execution attack is "Certainly not" as severe as Meltdown or ZombieLoad. He told Threatpost, a plausible attack would come from an unprivileged local attacker.

In its advisory this weekend AMD did not release new mitigations, instead pointing to other previously disclosed speculative execution attacks that leveraged L1D, and recommending that CPU users keep their operating systems up to date, follow secure coding methodologies and implement the latest patched versions of critical libraries.

News URL

https://threatpost.com/amd-downplays-cpu-threat-opening-chips-to-data-leak-attacks/153516/