Low-Severity Bugs Pose High-Risk Threat to Information Security

AMD has issued a warning to users of its CPUs, citing the discovery of a newly identified form of side-channel attack known as the Transient Scheduler Attack (TSA). This vulnerability, reminiscent of the Meltdown and Spectre bugs, affects a wide range of AMD chips and could lead to information disclosure.

According to AMD, the TSA comprises four vulnerabilities, with two rated as medium-severity and the other two as low-severity. However, security experts have assessed the threat as “critical” due to the potential for attackers to exploit the vulnerabilities, even if they only have low privileges.

The TSA requires local access to the machine, either through malware or a malicious virtual machine (VM), and can only be executed by an attacker who has the ability to run arbitrary code on the target machine. The attack hinges on false completions, which occur when CPUs expect load instructions to complete quickly but a condition prevents them from completing successfully.

In the worst-case scenarios, successful attacks on AMD chips could lead to information leakage of the OS kernel, while the low-severity bugs could result in internal CPU operational details being leaked. This could potentially allow attackers to escalate privileges, bypass security mechanisms, establish persistence, and more.

TSA-L1: L1 Cache Vulnerability

One of the TSA variants, TSA-L1, arises from an error in the way the L1 cache uses microtags for lookups. When the CPU attempts to load data from the L1 cache, it may believe that the data is present when in fact it is not. This can lead to incorrect data being loaded, which an attacker can then infer. The TSA-L1 vulnerability is caused by a combination of the CPU’s microarchitecture and the way it handles cache lookups.

TSA-SQ: Store Queue Vulnerability

The other TSA variant, TSA-SQ, arises from an error in the way the store queue handles load instructions. When a load instruction is executed, the CPU may incorrectly retrieve data from the store queue instead of the intended location. This can lead to incorrect data being loaded, which an attacker can then infer. The TSA-SQ vulnerability is caused by a combination of the CPU’s microarchitecture and the way it handles store operations.

Impact on AMD Chip Series

The TSA affects a wide range of AMD chip series, including:

EPYC: 3rd and 4th generation EPYC chips are affected by the TSA.

Ryzen: All Ryzen chip series are affected by the TSA, including Ryzen 3, Ryzen 5, and Ryzen 7.

Instinct: AMD’s Instinct GPU series is also affected by the TSA.

Athlon: The Athlon chip series is affected by the TSA, including Athlon 3000G and Athlon 5000G.

Mitigation and Patching

To mitigate the threat, AMD recommends that sysadmins update to the latest Windows builds and apply patches to affected chip series. However, the company notes that a mitigation involving a VERW instruction may impact system performance, requiring a risk-reward assessment from each admin. AMD has also released a technical report detailing the TSA vulnerabilities and providing guidance on mitigation and patching.

While the attacks are difficult to pull off and typically reserved for well-resourced groups, there is no known exploit code available, according to Microsoft. As a result, AMD is urging users to take the necessary precautions to protect against these TSAs.