Intel emits patch to squash chip bug that lets any guest VM crash host servers

Intel on Tuesday issued an out-of-band security update to address a privilege escalation vulnerability in recent server and personal computer chips.

The flaw, designated INTEL-SA-00950 and given a CVSS 3.0 score of 8.8 out of 10, affects Intel Sapphire Rapids, Alder Lake, and Raptor Lake chip families. It's being addressed with a microcode update as part of Intel's Patch Tuesday bundle of 31 security advisories that cover 104 CVEs.

The top line summary: this vulnerability can be exploited by guest virtual machines to crash the underlying hypervisor host. If that's a problem for you, pay attention to the following.

"Intel discovered this issue internally and was already preparing the ecosystem to release a mitigation through our well-documented Intel Platform Update process," the company said in a statement provided to The Register.

"At the request of customers, including OEMs and CSPs, this process typically includes a validation, integration, and deployment window after Intel deems the patch meets production quality, and helps ensure that mitigations are available to all customers on all supported Intel platforms when the issue is publicly disclosed. While Intel is not aware of any active attacks using this vulnerability, affected platforms have an available mitigation via a microcode update."

According to a post by Jerry Bryant, senior director of incident response and security communications at Intel, the chip biz's own researchers found the vulnerability, dubbed "Redundant Prefix," while reviewing upcoming functional errata – defects or errors where chips deviate from specifications.

• HPE and Nvidia offer 'turnkey' supercomputer for AI training
• Downfall fallout: Intel knew AVX chips were insecure and did nothing, lawsuit claims
• Intel to build hush-hush fabs to bake chips for US military
• UK bets on Intel CPUs and GPUs, Dell boxen, OpenStack for Dawn supercomputer

The team conducting the review determined that the bug could be used to conduct a denial-of-service attack. As such it received a CVSS 3.0 score of 5.5. And initially Intel planned to issue a patch in its Intel Platform Update bundle scheduled for March 2024.

But subsequent analysis found that there was a way to abuse this issue for privilege escalation. So Intel rescheduled the fix date for November 2023.

Separately, according to Bryant, a Google researcher reported finding the same denial of service flaw that Intel's researchers had found internally. Citing a 90-day disclosure policy, Google planned to reveal its findings on November 14, 2023, which coincided with Intel's out-of-band update. And here we are.

Google calls the vulnerability Reptar (CVE-2023-23583) and in a report, provided to The Register, explains that the issue arises from the way that redundant instruction prefixes are interpreted by the CPU, which can allow security boundaries to be bypassed.

"Prefixes allow you to change how instructions behave by enabling or disabling features," the post explains. "The full rules are complicated, but in general, if you use a prefix that doesn't make sense or conflicts with other prefixes, we call those redundant. Usually, redundant prefixes are ignored."

According to Google, an attacker in a multi-tenant virtualized environment could use this vulnerability to target a guest machine in a way that would take down the host, resulting in a denial-of-service for other guests on that host. Or it could lead to the exposure of information or privilege escalation, as noted by Intel.

Intel plans to publish a technical paper on Redundant Prefix as well as an explanatory video.

The chip giant's paper explains, "Under certain microarchitectural conditions, Intel has identified cases where execution of an instruction (REP MOVSB) encoded with a redundant REX prefix may result in unpredictable system behavior resulting in a system crash/hang, or, in some limited scenarios, may allow escalation of privilege (EoP) from CPL3 to CPL0."

Intel said it doesn't foresee this coming up for any non-malicious software, since redundant REX prefixes are not typically present in code or generated by compilers.

A spokesperson for the chip slinger told The Register that the update is OS loadable, meaning it can be applied without a system reboot, and no performance impact or behavioral changes have been observed as a result of the fix. ®