AMD Warns of New Transient Scheduler Attacks Impacting a Wide Range of CPUs
Semiconductor company AMD is warning of a new set of vulnerabilities affecting a broad range of chipsets that could lead to information disclosure.
The flaws, collectively called Transient Scheduler Attacks (TSA), manifest in the form of a speculative side channel in its CPUs that leverage execution timing of instructions under specific microarchitectural conditions.
“In some cases, an attacker may be able to use this timing information to infer data from other contexts, resulting in information leakage,” AMD said in an advisory.
The company said issues were uncovered as part of a study published by Microsoft and ETH Zurich researchers about testing modern CPUs against speculative execution attacks like Meltdown and Foreshadow by stress testing isolation between security domains such as virtual machines, kernel, and processes.
Following responsible disclosure in June 2024, the issues have been assigned the below CVE identifiers –
- CVE-2024-36350 (CVSS score: 5.6) – A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information
- CVE-2024-36357 (CVSS score: 5.6) – A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries
- CVE-2024-36348 (CVSS score: 3.8) – A transient execution vulnerability in some AMD processors may allow a user process to infer the control registers speculatively even if UMIP[3] feature is enabled, potentially resulting in information leakage
- CVE-2024-36349 (CVSS score: 3.8) – A transient execution vulnerability in some AMD processors may allow a user process to infer TSC_AUX even when such a read is disabled, potentially resulting in information leakage
AMD has described TSA as a “new class of speculative side channels” affecting its CPUs, stating it has released microcode updates for impacted processors –
- 3rd Gen AMD EPYC Processors
- 4th Gen AMD EPYC Processors
- AMD Instinct MI300A
- AMD Ryzen 5000 Series Desktop Processors
- AMD Ryzen 5000 Series Desktop Processors with Radeon Graphics
- AMD Ryzen 7000 Series Desktop Processors
- AMD Ryzen 8000 Series Processors with Radeon Graphics
- AMD Ryzen Threadripper PRO 7000 WX-Series Processors
- AMD Ryzen 6000 Series Processors with Radeon Graphics
- AMD Ryzen 7035 Series Processors with Radeon Graphics
- AMD Ryzen 5000 Series Processors with Radeon Graphics
- AMD Ryzen 7000 Series Processors with Radeon Graphics
- AMD Ryzen 7040 Series Processors with Radeon Graphics
- AMD Ryzen 8040 Series Mobile Processors with Radeon Graphics
- AMD Ryzen 7000 Series Mobile Processors
- AMD EPYC Embedded 7003
- AMD EPYC Embedded 8004
- AMD EPYC Embedded 9004
- AMD EPYC Embedded 97X4
- AMD Ryzen Embedded 5000
- AMD Ryzen Embedded 7000
- AMD Ryzen Embedded V3000
The company also noted that instructions that read data from memory may experience what’s referred to as “false completion,” which occurs when CPU hardware expects the load instructions to complete quickly, but there exists a condition that prevents it from happening –
In this case, dependent operations may be scheduled for execution before the false completion is detected. As the load did not actually complete, data associated with that load is considered invalid. The load will be re-executed later in order to complete successfully, and any dependent operations will re-execute with the valid data when it is ready.
Unlike other speculative behavior such as Predictive Store Forwarding, loads that experience a false completion do not result in an eventual pipeline flush. While the invalid data associated with a false completion may be forwarded to dependent operations, load and store instructions which consume this data will not attempt to fetch data or update any cache or TLB state. As such, the value of this invalid data cannot be inferred using standard transient side channel methods.
In processors affected by TSA, the invalid data may however affect the timing of other instructions being executed by the CPU in a way that may be detectable by an attacker.
The chipmaker said it has identified two variants of TSA, TSA-L1 and TSA-SQ, based on the source of the invalid data associated with a false completion: either the L1 data cache or the CPU store queue.
In a worst-case scenario, successful attacks carried out using TSA-L1 or TSA-SQ flaws could lead to information leakage from the operating system kernel to a user application, from a hypervisor to a guest virtual machine, or between two user applications.
While TSA-L1 is caused by an error in the way the L1 cache uses microtags for data-cache lookups, TSA-SQ vulnerabilities arise when a load instruction erroneously retrieves data from the CPU store queue when the necessary data isn’t yet available. In both cases, an attacker could infer any data that is present within the L1 cache or used by an older store, even if they were executed in a different context.
That said, exploiting these flaws requires an attacker to obtain malicious access to a machine and possess the ability to run arbitrary code. It’s not exploitable through malicious websites.
“The conditions required to exploit TSA are typically transitory as both the microtag and store queue will be updated after the CPU detects the false completion,” AMD said.
“Consequently, to reliably exfiltrate data, an attacker must typically be able to invoke the victim many times to repeatedly create the conditions for the false completion. This is most likely possible when the attacker and victim have an existing communication path, such as between an application and the OS kernel.”
