Intel issued microcode updates to resolve a serious CPU flaw that could be exploited maliciously, especially against cloud-based hosts. Discovered by security researchers, including Tavis Ormandy from Google, the bug affects most modern Intel CPUs, causing them to behave unexpectedly and potentially allowing for system crashes and privilege escalation, even within supposedly secure environments like guest accounts in virtual machines.
Named Reptar (CVE-2023-23583), the bug relates to how affected CPUs handle instruction prefixes, particularly impacting the Ice Lake architecture’s feature designed to enhance microcoding efficiency. Ormandy noticed anomalous behavior when redundant prefixes were added to certain operations, resulting in branches to unexpected locations, ignored unconditional branches, and inaccurate instruction pointer recordings. This behavior escalated when multiple cores triggered the bug, leading to machine check exceptions and system halts.
Initially categorized as a less severe issue slated for a fix in March, further investigation by Intel and Google revealed the potential for privilege escalation, prompting an expedited response. The severity was raised to a high level (8.8 out of 10) with implications for security, leading to an accelerated release of updates scheduled for November 2023, rather than the previously planned February 2024.
Intel identified affected products, distinguishing between those already fixed and those requiring the microcode updates released in the latest patch. Users are advised to check with their device or motherboard manufacturers for the necessary updates. While immediate threats for individuals are unlikely, the potential for code within virtual machines to crash the underlying hypervisor raises concern for major cloud service providers like Google, Microsoft, and Amazon.
Google collaborated with industry partners to devise and implement mitigations for this vulnerability, reducing the likelihood of exploitation and potential Denial of Service attacks within their cloud infrastructure. However, smaller cloud services might still need to take action to secure their environments against this threat.