This year, Google has seen an increase in the number of vulnerabilities impacting central processing units (CPU) across hardware systems. Two of the most notable of these vulnerabilities were disclosed in August, when Google researchers discovered Downfall (CVE-2022-40982) and Zenbleed (CVE-2023-20593), affecting Intel and AMD CPUs, respectively.
This trend proves only to be intensifying as time goes on. Left unmitigated, these types of vulnerabilities can impact billions of personal and cloud computers.
Today, we’re detailing the findings of Reptar (CVE-2023-23583), a new CPU vulnerability that impacts several Intel desktop, mobile, and server CPUs. Google’s Information Security Engineering team reported the vulnerability to Intel, who disclosed the vulnerability today. Thanks to the thoughtful collaboration between Google, Intel, and industry partners, mitigations have been rolled out, and Googlers and our customers are protected.
How Google found and responded to Reptar
A Google security researcher identified a vulnerability related to how redundant prefixes are interpreted by the CPU which leads to bypassing the CPU’s security boundaries if exploited successfully. Prefixes allow you to change how instructions behave by enabling or disabling features. The full rules are complicated, but in general, if you use a prefix that doesn’t make sense or conflicts with other prefixes, we call those redundant. Usually, redundant prefixes are ignored.
The impact of this vulnerability is demonstrated when exploited by an attacker in a multi-tenant virtualized environment, as the exploit on a guest machine causes the host machine to crash resulting in a Denial of Service to other guest machines running on the same host. Additionally, the vulnerability could potentially lead to information disclosure or privilege escalation.
You can read more technical details about the vulnerability at our researcher’s blog.
Our security teams were able to identify this vulnerability and responsibly disclose it to Intel. Google worked with industry partners to identify and test a successful mitigation so all users are protected from this risk in a timely manner. In particular, Google’s response team ensured a successful rollout of the mitigation to our systems before it posed a risk to our customers, mainly Google Cloud and ChromeOS customers.
Google’s commitment to collaboration and hardware security
As Reptar, Zenbleed, and Downfall suggest, computing hardware and processors remain susceptible to these types of vulnerabilities. This trend will only continue as hardware becomes increasingly complex. This is why Google continues to invest heavily in CPU and vulnerability research. Work like this, done in close collaboration with our industry partners, allows us to keep users safe and is critical to finding and mitigating vulnerabilities before they can be exploited.
We look forward to continuing this proactive cybersecurity work, and encourage others to join us on this journey to create a more secure and resilient technology ecosystem.