Intel’s security team found a flaw in AMD’s old ‘LFENCE/JMP’ patch to mitigate Spectre vulnerabilities across several generations of Ryzen and Threadripper CPUs.
In response, AMD issued a security bulletin recommending the use of alternate mitigation options. The update also had additional information for software developers.
Spectre is a type of security flaw that affects almost all modern Intel and AMD processors. It can potentially allow attackers to access sensitive data without detection. Worse, last week researchers found that Intel and Arm processors are susceptible to a new kind of ‘Spectre v2’ attack.
Intel uncovered the issue with LFENCE/JMP while investigating the new vulnerability. AMD implemented LFENCE/JMP in 2018 to mitigate against Spectre, but Intel’s researchers found it doesn’t adequately protect against the threat.
As per AMD’s security bulletin, the weakness in LFENCE/JMP spans the following chips:
- Gen 1, 2, and 3 AMD Epyc processors
- AMD Ryzen 2000, 3000, and 5000 series desktop processors
- AMD Ryzen 4000 and 5000 series desktop processors with Radeon graphics
- 2nd and 3rd Gen Ryzen Threadripper
- AMD Ryzen Threadripper Pro
- AMD Athlon 3000 series mobile processors with Radeon graphics
- AMD Ryzen 2000 and 3000 series mobile processors
- 2nd Gen AMD Ryzen mobile processor with Radeon graphics
- AMD Ryzen 3000, 4000, and 5000 series with Radeon graphics
- AMD Athlon, Athlon 3000, and Ryzen 3000 mobile processors with Radeon graphics for Chromebook
You can view the full list here.
The researchers who found the flaw performed the exploit on Linux, but so far there haven’t been examples of the using the exploit on platforms like Windows.
Finally, The Verge points out that patches for Spectre-related vulnerabilities have been known to cause performance issues, especially on older hardware. However, benchmarking platform Phoronix tested the impact of initial patches for Intel and AMD chips in 2019 and found AMD CPUs were less affected than Intel.
Image credit: AMD
Source: Tom’s Hardware, AMD Via: The Verge
