New CPU architecture vulnerabilities: Intel 10th gen to 12th gen chips affected by AEPIC, SQUIP exploits loophole in all AMD Zen CPUs with SMT
Intel and AMD are yet to fully mitigate vulnerabilities such as Spectre and Meltdown, but there are new CPU architecture bugs that allow an attacker to obtain potentially sensitive information. Intel processors from 10th gen to 12th gen are shown to be affected by ÆPIC while SQUIP is a vulnerability affecting all AMD Zen processors with SMT.
APIC: A non-side channel vulnerability that affects Intel 10th-12th gen CPUs
Researchers from the Sapienza University of Rome, Graz University of Technology, CISPA Helmholtz Center for Information Security, and Amazon Web Services have described a flaw (CVE-2022-21233) affecting the memory-mapped registers of the Advanced Programmable Interrupt Controller (APIC) in Intel CPUs. APIC helps in effective multiprocessing by handling interrupt requests.
Dubbed ÆPIC, the researchers say that this vulnerability is the "first architectural CPU bug that leaks stale data from the microarchitecture without using a side channel". Their paper says that this leak works on all Sunny Cove-based processors including Ice Lake, Ice Lake-SP, Tiger Lake, and Alder Lake.
Intel has made available a list of affected processors on its Software Security Guidance website and has classified the threat level as "Medium".
According to the experts, ÆPIC requires elevated access to the physical APIC registers via a memory-mapped I/O (MMIO) page, which means an administrator or root access is needed. ÆPIC primarily affects applications that rely on Intel Software Guard Extensions (SGX), which is an application isolation technology that protects code in hardened enclaves.
Fixes that are normally deployed for side-channel vulnerabilities are ineffective against ÆPIC. This is a CPU architecture bug that can be worked around using software mitigations, but the researchers note that this can have an impact on the performance.
Intel has released microcode and SGX SDK updates as workarounds. That being said, the bug remains unexploited in the wild so far. A proof-of-concept code is now available on GitHub.
Entire AMD Zen family is affected by SQUIP
Things aren't entirely rosy on the AMD side of things either. In a paper, researchers from the Lamarr Security Research, Graz University of Technology, and Georgia Institute of Technology describe what they call SQUIP, short for Scheduler Queue Usage via Interference Probing.
SQUIP (AMD-SB-1039, CVE-2021-46778) is a side-channel attack that affects scheduler queues, which are important to decide instruction scheduling in superscalar processors.
SQUIP does not affect Intel processors since they use a single scheduler queue. However, the bug does affect AMD Zen 1, Zen 2, and Zen 3 lineups with SMT enabled as they use separate scheduler queues per execution unit.
The researchers say that AMD's scheduler causes interference across workloads that leads to scheduler queue contention, which can be exploited. They say that an attacker using SQUIP can decipher an RSA-4096 key in 38 minutes if the attacker and the target are located on different SMT threads in the same physical core.
Apple's M1 and M2 SoCs also follow a similar split-scheduler design like AMD, but they aren't affected by SQUIP since those SoCs do not use SMT.
AMD has classified the threat level as "Medium" and recommends "developers employ existing best practices, including constant-time algorithms and avoiding secret-dependent control flows where appropriate to help mitigate this potential vulnerability".