ÆPIC Leak is an Architectural CPU Bug Affecting 10th, 11th, and 12th Gen Intel Core Processors

[AleksandarK]

The x86 CPU family has been vulnerable to many attacks in recent years. With the arrival of Spectre and Meltdown, we have seen side-channel attacks overtake both AMD and Intel designs. However, today we find out that researchers are capable of exploiting Intel's latest 10th, 11th, and 12th generation Core processors with a new CPU bug called ÆPIC Leak. Named after Advanced Programmable Interrupt Controller (APIC) that handles interrupt requests to regulate multiprocessing, the leak is claimeing to be the first "CPU bug able to architecturally disclose sensitive data." Researchers Pietro Borrello (Sapienza University of Rome), Andreas Kogler (Graz Institute of Technology), Martin Schwarzl (Graz), Moritz Lipp (Amazon Web Services), Daniel Gruss (Graz University of Technology), and Michael Schwarz (CISPA Helmholtz Center for Information Security) discovered this flaw in Intel processors.

ÆPIC Leak is the first CPU bug able to architecturally disclose sensitive data. It leverages a vulnerability in recent Intel CPUs to leak secrets from the processor itself: on most 10th, 11th and 12th generation Intel CPUs the APIC MMIO undefined range incorrectly returns stale data from the cache hierarchy. In contrast to transient execution attacks like Meltdown and Spectre, ÆPIC Leak is an architectural bug: the sensitive data gets directly disclosed without relying on any (noisy) side channel. ÆPIC Leak is like an uninitialized memory read in the CPU itself.

A privileged attacker (Administrator or root) is required to access APIC MMIO. Thus, most systems are safe from ÆPIC Leak. However, systems relying on SGX to protect data from privileged attackers would be at risk, thus, have to be patched.

You can try out the vulnerability as it's demonstration has been open-sourced by Graz Institute of Technology here. Currently, we have no information about the patch, but Intel has been made aware in December of 2021. Carrying a CVE tag CVE-2022-21233, the vulnerability can be avoided by disabling APIC MMIO or avoiding SGX.

View at TechPowerUp Main Site | Source

 

[Chaitanya]

Would be interesting to see how much performance is affected by mitigations.

 

[xorbe]

Would be interesting to see how much performance is affected by mitigations.

Phoronix generally covers this wrt Linux.

 

[Vayra86]

Bethesda Inside

 

[Nanochip]

Ouch. AMD also disclosed a vulnerability in its CPUs.

AMD today made public CVE-2021-46778 that university researchers have dubbed the "SQUIP" attack as a side channel vulnerability affecting the execution unit scheduler across Zen 1/2/3 processors.

Researchers discovered that execution unit scheduler contention could lead to a side channel vulnerability on AMD Zen 1, Zen 2, and Zen 3 processors -- across all Ryzen / Threadripper / EPYC generations to this point. This side-channel vulnerability exists only when SMT is active and relies on measuring the contention level of scheduler queues in order to leak sensitive information.

 

[TheoneandonlyMrK]

Ouch. AMD also disclosed a vulnerability in its CPUs.

AMD today made public CVE-2021-46778 that university researchers have dubbed the "SQUIP" attack as a side channel vulnerability affecting the execution unit scheduler across Zen 1/2/3 processors.

Researchers discovered that execution unit scheduler contention could lead to a side channel vulnerability on AMD Zen 1, Zen 2, and Zen 3 processors -- across all Ryzen / Threadripper / EPYC generations to this point. This side-channel vulnerability exists only when SMT is active and relies on measuring the contention level of scheduler queues in order to leak sensitive information.

Intel shareholder per chance.

That's been patched and came out in 2021.

 

[Crackong]

Ouch. AMD also disclosed a vulnerability in its CPUs.

It is quite funny to see someone's first reaction to a problem was 'Hey that other guy also had problems, look at him' instead of actually facing the problem.

 

[Verpal]

A privileged attacker (Administrator or root) is required to access APIC MMIO. Thus, most systems are safe from ÆPIC Leak. However, systems relying on SGX to protect data from privileged attackers would be at risk, thus, have to be patched.

Wait, so not even cloud provider need to patch this?

Who exactly relies only on SGX to protect data out there?

 

[Assimilator]

Like most of these cleverly-named vulnerabilities, this one is mostly a non-issue. The only people who need to be worried are those who are running multiple clients on a single server (i.e. cloud) and guess what... if they're in any way competent, they aren't running anything as admin/root. If they're not competent, then they deserve whatever pain they get and they should fix their setup.

 

[Jimmy_]

 

[ncrs]

Like most of these cleverly-named vulnerabilities, this one is mostly a non-issue.

You're running a web browser with untrusted code execution, which is basically just surfing the web. The protections slapped onto the JavaScript engines after Meltdown/Spectre were found to be insufficient. Security is always a game of risk, and even though side channel attacks aren't prevalent yet, it doesn't mean that they won't be forever.

The only people who need to be worried are those who are running multiple clients on a single server (i.e. cloud) and guess what... if they're in any way competent, they aren't running anything as admin/root. If they're not competent, then they deserve whatever pain they get and they should fix their setup.

You're forgetting that in a cloud/shared server setting your clients are running as admin/root in the VMs/partitions you give them. Since virtualization on x86 is a big hack that means they are able to perform some of those attacks from the VM.
Surely Intel/AMD has competent engineers that think about every scenario when designing the mitigations? Well... that's not true, and Intel had to provide additional patches exactly for the VM scenario, because the built-in hardware mitigation in Alder Lake+ was found to be lacking.

 

[phanbuey]

"A privileged attacker (Administrator or root) is required to access APIC MMIO. Thus, most systems are safe from ÆPIC Leak. However, systems relying on SGX to protect data from privileged attackers would be at risk, thus, have to be patched."

To the average user this means literally nothing.

It's like saying... "A burglar who is already in your house, might be able to overhear a sensitive conversation through one of the inner walls because it's too thin."

 

[ExcuseMeWtf]

So basically another attack that most of us don't need to worry about?

 

[bonehead123]

if they're in any way competent, they aren't running anything as admin/root

Yep, and herein lies the REAL problem, as a lot of IT departments today are manned by 1st time rookies and/or amateurs with little to no hands on experience, who were hired in at just above minimum wage and have neither the competence nor the ability/desire to actually do any REAL work, aside from sittin on their collective duffs playing on their phones, and pick up their paychecks on payday... yea they can help you reset your password or ask the holier than thou question of "did you try restarting your computer"... but beyond that it takes them a long time to figure out how to solve everyday issues, cause they have to "look into it".. ie search google for a fix !

On the other end are the "IT Managers" or "SVP of Technology & Infrastructure", who get paid ALOT of money to sit around in meetings with the other execs, dreaming up IT budgets for the upcoming fiscal year while minimizing costs and expenditures, and push out memos about how up to date the company is and how the "forward thinking plans" they are developing will "keep the company on the cutting edge" of technology.... most of which sound as bad or worse than the marketing garbaggio that is dreamed up the press releases we see posted here.

 

[Nanochip]

Intel shareholder per chance.

That's been patched and came out in 2021.

Lies. This is a new vulnerability made public yesterday by AMD. This is the CVE: CVE-2021-46778

See AMD’s website https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1039

note the initial publication date of “8-9-2022”

 

[DeathtoGnomes]

Not sure who reads the white paper on these. I have a hard time deciphering this.

https://stefangast.eu/papers/squip.pdf

6. Discussion and Limitations
As shown, using the SQUIP side channel, an unprivi-
leged attacker can extract sensitive information from a co-
located victim within less than 45 min, achieving very low
error rates. In this section, we discuss the limitations of our
attack and possible hardware and software countermeasures.
To summarize, the SQUIP attack exploits 1) that the
ALUs are connected to different schedulers, 2) that the
ALUs have different capabilities, 3) that co-located pro-
cesses compete for free slots in the scheduler queues and
4) that the control flow of the RSA implementation is
secret-dependent. Without any of these four prerequisites,
the demonstrated attack no longer works, so that possible
countermeasures can target all of them.

 

[TheoneandonlyMrK]

It is quite funny to see someone's first reaction to a problem was 'Hey that other guy also had problems, look at him' instead of actually facing the problem.

What aboutism eh

Lies. This is a new vulnerability made public yesterday by AMD. This is the CVE: CVE-2021-46778

See AMD’s website https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1039

note the initial publication date of “8-9-2022”

Errr it's in the Name Cve 2021 !?

A clue would be, it doesn't say 2022 does it, found in 2021, fixed, then reported in 22.

Google it FFS.

Patched, then published, as all good issues are.

Now off with your Intel lurvin whataboutism weak ass shit.

 

[Nanochip]

What aboutism eh

Errr it's in the Name Cve 2021 !?

A clue would be, it doesn't say 2022 does it, found in 2021, fixed, then reported in 22.

Google it FFS.

Patched, then published, as all good issues are.

Now off with your Intel lurvin whataboutism weak ass shit.

You’re probably confusing this new revealed AMD vulnerability with one that was revealed last year: CVE-2020-12965 it was published on Aug 31, 2021.

So confident in your incompetence. The cognitive dissonance is real… AMD’s CPUs have vulnerabilities too. you take it as a personal affront when they’re pointed out. Says a lot more about you than it does about me. Now, run along.

 

[efikkan]

Like most of these cleverly-named vulnerabilities, this one is mostly a non-issue. The only people who need to be worried are those who are running multiple clients on a single server (i.e. cloud) and guess what... if they're in any way competent, they aren't running anything as admin/root. If they're not competent, then they deserve whatever pain they get and they should fix their setup.

Yes, when a vulnerability needs to have root access to work, the attacker already owns the system.
The only concern would be if this can be executed across VMs, which really only applies to cloud services, but sensitive/critical services should never run in the cloud anyways. Anyone in the industry knows security is done in layers; If there is a bug in hardware, firmware or the OS, usually the higher levels will protect until the problem is resolved/mitigated. In the public cloud, if there is a hardware or hypervisor bug, then all the other security measures can be bypassed.

Yep, and herein lies the REAL problem, as a lot of IT departments today are manned by 1st time rookies and/or amateurs with little to no hands on experience, who were hired in at just above minimum wage and have neither the competence nor the ability/desire to actually do any REAL work, aside from sittin on their collective duffs playing on their phones, and pick up their paychecks on payday... yea they can help you reset your password or ask the holier than thou question of "did you try restarting your computer"... but beyond that it takes them a long time to figure out how to solve everyday issues, cause they have to "look into it".. ie search google for a fix !

On the other end are the "IT Managers" or "SVP of Technology & Infrastructure", who get paid ALOT of money to sit around in meetings with the other execs, dreaming up IT budgets for the upcoming fiscal year while minimizing costs and expenditures, and push out memos about how up to date the company is and how the "forward thinking plans" they are developing will "keep the company on the cutting edge" of technology.... most of which sound as bad or worse than the marketing garbaggio that is dreamed up the press releases we see posted here.

It's hard to measure competence in IT, which is probably contributing to a lot of unqualified staff, and this is even a problem for "experienced" staff, some people just never know what they're doing or don't care.
I once saw a company wanting to ramp up their security hire a team of "security experts", which were so incompetent in introducing "well established security principles" like two-factor authentication and using a service from a "tried and tested" third-party, they managed to make it worse than not having it, as there were fundamental flaws in the setup resulting in several attack vectors.

 

[TheoneandonlyMrK]

You’re probably confusing this new revealed AMD vulnerability with one that was revealed last year: CVE-2020-12965 it was published on Aug 31, 2021.

So confident in your incompetence. The cognitive dissonance is real… AMD’s CPUs have vulnerabilities too. you take it as a personal affront when they’re pointed out. Says a lot more about you than it does about me. Now, run along.

No, as I said it was discovered in 2021 disclosed to AMD in 2021, they fixed it.

Then today reported it to the world, but it isn't new , it is fixed and as is said it's in the name. Cve 2021 wtaf.

Now on topic , without bias, no you aren't capable.

And I couldn't care less, except you spouted nonsense and still are in a auto defence stance, what about them though?!.

Oh and I didn't say anything against Intel here, it is what it is, a server security issue, though my private data could be on those server's.

From AMD
"AMD was informed about the issue in December 2021 and assigned it the CVE identifier CVE-2021-46778 and a severity rating of ‘medium’. The chip giant published an advisory on Tuesday, informing customers that Zen 1, Zen 2 and Zen 3 microarchitectures are impacted.

The list of affected products includes Ryzen, Athlon and EPYC processors for desktops, workstations, mobile devices, Chromebooks, and servers.

While Intel and Apple products are currently not impacted, they have been notified as well."

 

[tpu7887]

Does this make 9th gen the fastest and most secure?

 

[ThomasK]

AMD’s CPUs have vulnerabilities too.

Can you read the title? It's about Intel. Intel is the subject here. Stay on topic, simple enough.

Whenever the AMD vulnerability post comes out, bet you'll be the first one to comment. Fair enough, shareholder.

 

[P4-630]

Alder Lake seems unaffected since it does not support the SGX instruction set.

 

[jeffw111]

P4-630 is right SGX was removed from Alder Lake and so would be unaffected by this bug. In fact there was a lot of coverage that it would not be supporting 4K Bluray playback.

 

[mplayerMuPDF]

Does this make 9th gen the fastest and most secure?

Absolutely not. 9th gen is still Skylake+*n (aka garbage lake) and therefore vulnerable to many transient execution attacks. Personally, I will keep running this Zen+ system (with SMT disabled) for many, many years, not just because I cannot afford to upgrade but also because it is clear to me that all these new generations have new security vulnerabilities of their own, so there is no sense upgrading to a newer gen with supposed hardware "mitigations". When the time comes, I will probably upgrade to a RISC-V/ARM-based system with in-order cores (i.MX10 with A510 would be interesting as they are supposed to have performance equivalent to that of the old A73), which is immune to all these issues afflicting highly complex OoO designs. That system may have less raw CPU power (certainly single-thread) but at least it would be highly secure and have low power consumption, two attributes that are highly attractive considering the future that we are currently facing. I don't strictly need tons of performance for home use anyway.