Retbleed

Bulletin ID: AMP-SB-0004

Potential Impact: An attacker can control the predictions for return addresses and can potentially hijack code flow to execute arbitrary code.

Severity: CVSS score: 6.5 (Medium)

Summary

Who is Impacted

All users of Ampere^® Altra^® and Ampere^® Altra^® Max.

Potential Impact

An attacker can control the predictions for return addresses and can potentially hijack code flow to execute arbitrary code.

Severity

Medium CVSS score: 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem Statement and Impact

Retbleed is an attack that exploits the unprotected prediction of return instructions. The issue is similar to Spectre variant 2 but exploits some easily triggerable cases (for example, fallback on empty return stack) where predictions for return addresses can still be controlled by an attacker. The Ampere^® Altra^® family and AmpereOne^™ (formerly known as “Siryn”) are impacted by the Retbleed attack. Existing hardware mitigations (FEAT_CSV2), recommended for Spectre v2 and Spectre-BHB, provide mitigations for attacks based on Retbleed.

Fixed in

Ampere^® Altra^® 1.08g Ampere^® Altra^® Max 2.05a

Affected Products

The Ampere^® Altra^® family and AmpereOne^™ (formerly known as “Siryn”) are impacted by the Retbleed attack.

Recommendations

It is highly recommended to upgrade firmware to Ampere^® Altra^® SRP 1.08g/Ampere^® Altra^® Max SRP 2.05a or greater. Hardware mitigations (FEAT_CSV2), recommended for Spectre v2 and Spectre-BHB, provide mitigations for attacks based on Retbleed.

References

https://developer.arm.com/documentation/ka005138/1-0/?lang=en