German computing magazine C’t recently uncovered information regarding multiple new Intel CPU flaws dubbed ‘Spectre Next Generation’. The flaws were found by Google Project Zero, which also found the first Spectre vulnerabilities. Intel itself already assigned CVE numbers to them and has labeled several of the flaws as “high risk”.
According to research carried out by the magazine, these latest security flaws are affecting Intel chips and are not mitigated by the earlier patches put out by the chips giant for the previous Spectre issues.
Furthermore, one of the flaws could potentially pose a higher risk than the earlier Spectre flaws, as described in the C’t Spectre-NG article:
Specifically, an attacker could launch exploit code in a virtual machine (VM) and attack the host system from there – the server of a cloud hoster, for example. Alternatively, it could attack the VMs of other customers running on the same server.
AMD’s exposure to Spectre Next Generation
According to Elazar Advisors, the issues are probably not applicable to AMD’s Ryzen and Epyc processors, as actual issues with AMD’s processors were not mentioned in the article. Elezar Advisors contacted AMD to inquire about AMD’s exposure to these newly discovered bugs. AMD responded to Elezar, that AMD does currently not know of any exposure to these new Spectre-NG flaws. The C’t article mentions that tests are currently underway to establish if AMD and other manufacturers’ products are immune to Spectre-NG. So this situation might change in the future.
So far we only have concrete information on Intel’s processors and their plans for patches. However, there is initial evidence that at least some ARM CPUs are also vulnerable. Further research is already underway on whether the closely related AMD processor architecture is also susceptible to the individual Spectre-NG gaps, and to what extent.
What about the first Spectre flaws?
AMD, together with Microsoft, released OS and microcode mitigations for the Google Project Zero (GPZ) Variant 2 (Spectre) on April the 10th, 2018. Mitigations for GPZ Variant 1 (Spectre) were already provided through operating system updates. As a reminder, GPZ variant 3 does not apply to AMD because of implemented microprocessor design.