Ever since the 2018 disclosure of the Spectre and Meltdown vulnerabilities that left many modern computer processors open to side-channel, speculative execution attacks, researchers have been discovering similar flaws.
Spectre and Meltdown affected Intel chips more than AMD or ARM processors. But a team of researchers have disclosed a new vulnerability specifically affecting AMD processors.
Called “Take A Way,” the vulnerability is said to be present in AMD processors released between 2011 and 2019.
The researchers detail the vulnerability in a new paper (PDF link), but the team says they let AMD know their findings on August 23rd, 2019 in order to give the chip maker time to respond — although AMD has yet to make any public statements on the matter.
Update: AMD says it’s “aware of” the researchers’ paper, but in a statement the company says that “AMD believes these are not new speculation-based attacks,” but rather that they’re issues that have already been addressed by previous software updates.Â
It’s also unclear at this point whether new AMD chips set to hit the streets this year (like the upcoming Ryzen 4000 laptop processors) are affected.
In a nutshell, AMD’s L1D cache way predictor is vulnerable to at least two side-channel attack techniques, which attackers can use to obtain information that’s meant to be secure… such as encryption keys.
The good news is that there are hardware and software steps that can be taken to mitigate the risks associated with the vulnerabilities.
The bad news is that the researchers who discovered the security flaws say that it’s relatively easy to leverage the Take A Way vulnerability remotely — meaning an attacker doesn’t need physical access to your computer. Visiting a website with malicious code could do the trick. Cloud servers using recent AMD EPYC processors may also be vulnerable.
So hopefully AMD and/or PC makers are working on making some of those software-based mitigations available.
via Tom’s Hardware, ZDNet, and Engadget