Security News > 2022 > July > New Retbleed speculative execution CPU attack bypasses Retpoline fixes
Security researchers have discovered a new speculative execution attack called Retbleed that affects processors from both Intel and AMD and could be used to extract sensitive information.
Retpoline was released a software-based solution to mitigate speculative execution attacks by using return operations to isolate indirect branches.
Researchers at ETH Zurich university found a way to force the prediction of the return operations just like in the case of indirect branches, and to inject branch targets in the kernel address-space, regardless of the user's privileges.
Even though we cannot access branch targets inside the kernel address-space - branching to such a target results in a page fault - the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it's to a kernel address.
The researchers further explain in a technical paper on Retbleed that using a precise branch history on Intel CPUs, it is possible to hijack all return instructions that "Follow sufficiently-deep call stacks."
Intel has released a security advisory recommending the use of Indirect Branch Restricted Speculation instead of retpoline.