Red Hat response to Retbleed (CVE-2022-29900 / CVE-2022-23816, CVE-2022-29901, CVE-2022-23825) vulnerabilities

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (Physical and virtual systems)
  • AMD and Intel CPUs

This should impact any RHEL installation of the specified versions, regardless of whether it is physical or virtual. All of the vulnerabilities of this class have been most concerning for public cloud environments, where they could allow data to be obtained from other VMs running on a shared hypervisor.

Issue

Retbleed (CVEs CVE-2022-29900/CVE-2022-23816 and CVE-2022-29901) is a new speculative execution attack which takes advantage of microarchitectural behavior in many modern microprocessors, similar to Spectre v2. An unprivileged attacker can use these flaws to bypass conventional memory security restrictions to gain read access to privileged memory that would otherwise be inaccessible.

Note: CVE-2022-23816 is an alias to CVE-2022-29900.

Resolution

Red Hat has ranked this vulnerability as Moderate severity and will be providing kernel mitigations in an upcoming release for the affected kernels, following the product's Life Cycle phases.

Please subscribe to the below CVE pages for updates and fix availability:

Mitigations
Red Hat Enterprise Linux 7 uses the existing IBRS mitigations for Intel/AMD processors.

Red Hat Enterprise Linux 8/9 can mitigate the flaw in affected Intel/AMD CPUs if booted with the kernel parameter:

spectre_v2=ibrs

Systems booting updated kernels fixing the flaw will require no additional configuration to apply the mitigation. If the mitigation must be disabled, it can be done by booting the kernel with the following kernel cmdline option:

retbleed=off 

For Red Hat Enterprise Linux 7, use both of the following option:

spectre_v2=retpoline,force retbleed=off

The Retbleed mitigation may impact performance. A system can be rebooted with the mitigation disabled to compare the on-vs-off performance impact.

Root Cause

Researchers discovered that under specific microarchitectural conditions, return instructions can be forced to be predicted, similar to indirect branches, on both AMD and Intel processors.

Initial fixes to close this attack vector have been queued in upstream. Red Hat Engineering has these patches currently in testing and will deliver them to the relevant streams.

Diagnostic Steps

For more information on affected processors and mitigations please visit:

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

1 Comments

To know if your processor is affected by Retbleed, type lscpu in the Terminal:

[jasongo@localhost ~]$ lscpu
Architecture:            x86_64
  CPU op-mode(s):        32-bit, 64-bit
  Address sizes:         48 bits physical, 48 bits virtual
  Byte Order:            Little Endian
CPU(s):                  12
  On-line CPU(s) list:   0-11
Vendor ID:               AuthenticAMD
  Model name:            AMD Ryzen 5 4600G with Radeon Graphics
    CPU family:          23
    Model:               96
    Thread(s) per core:  2
    Core(s) per socket:  6
    Socket(s):           1
    Stepping:            1
    Frequency boost:     enabled
    CPU max MHz:         3700.0000
    CPU min MHz:         1400.0000
    BogoMIPS:            7400.26
    Flags:               fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt pdpe1gb rdtscp lm constant_tsc rep_good nopl nonstop_tsc cpuid extd_apicid aperfmperf
                          rapl pni pclmulqdq monitor ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt aes xsave avx f16c rdrand lahf_lm cmp_legacy svm extapic cr8_legacy abm sse4a misalignsse 3dnowprefetch osvw ibs skinit wdt tce topoext 
                         perfctr_core perfctr_nb bpext perfctr_llc mwaitx cpb cat_l3 cdp_l3 hw_pstate ssbd mba ibrs ibpb stibp vmmcall fsgsbase bmi1 avx2 smep bmi2 cqm rdt_a rdseed adx smap clflushopt clwb sha_ni xsaveopt xsavec xgetbv1 x
                         saves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local clzero irperf xsaveerptr rdpru wbnoinvd cppc arat npt lbrv svm_lock nrip_save tsc_scale vmcb_clean flushbyasid decodeassists pausefilter pfthreshold avic v_v
                         msave_vmload vgif v_spec_ctrl umip rdpid overflow_recov succor smca
Virtualization features: 
  Virtualization:        AMD-V
Caches (sum of all):     
  L1d:                   192 KiB (6 instances)
  L1i:                   192 KiB (6 instances)
  L2:                    3 MiB (6 instances)
  L3:                    8 MiB (2 instances)
NUMA:                    
  NUMA node(s):          1
  NUMA node0 CPU(s):     0-11
Vulnerabilities:         
  Itlb multihit:         Not affected
  L1tf:                  Not affected
  Mds:                   Not affected
  Meltdown:              Not affected
  Mmio stale data:       Not affected
  Retbleed:              Mitigation; untrained return thunk; SMT enabled with STIBP protection
  Spec store bypass:     Mitigation; Speculative Store Bypass disabled via prctl
  Spectre v1:            Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:            Mitigation; Retpolines, IBPB conditional, STIBP always-on, RSB filling, PBRSB-eIBRS Not affected
  Srbds:                 Not affected
  Tsx async abort:       Not affected