Retbleed

Bulletin ID: AMP-SB-0004
Potential Impact: An attacker can control the predictions for return addresses and can potentially hijack code flow to execute arbitrary code.
Severity: CVSS score​: 6.5 (Medium)

Summary

Who is Impacted

All users of Ampere® Altra® and Ampere® Altra® Max.
 

Potential Impact

An attacker can control the predictions for return addresses and can potentially hijack code flow to execute arbitrary code.
 

Severity

Medium
CVSS score​: 6.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
 

Problem Statement and Impact

Retbleed is an attack that exploits the unprotected prediction of return instructions. The issue is similar to Spectre variant 2 but exploits some easily triggerable cases (for example, fallback on empty return stack) where predictions for return addresses can still be controlled by an attacker.
The Ampere® Altra® family and AmpereOne™ (formerly known as “Siryn”) are impacted by the Retbleed attack. Existing hardware mitigations (FEAT_CSV2), recommended for Spectre v2 and Spectre-BHB, provide mitigations for attacks based on Retbleed.
 

Fixed in

Ampere® Altra® 1.08g
Ampere® Altra® Max 2.05a
 

Affected Products

The Ampere® Altra® family and AmpereOne™ (formerly known as “Siryn”) are impacted by the Retbleed attack.
 

Recommendations

It is highly recommended to upgrade firmware to Ampere® Altra® SRP 1.08g/Ampere® Altra® Max SRP 2.05a or greater. Hardware mitigations (FEAT_CSV2), recommended for Spectre v2 and Spectre-BHB, provide mitigations for attacks based on Retbleed.
 

References

https://developer.arm.com/documentation/ka005138/1-0/?lang=en