Intel 10th Gen CPUs & Above Affected By “Reptar” Vulnerability, 12th & 13th Gen CPUs Receive Microcode Mitigations

Intel 10th Gen CPUs & Above Affected By Reptar Vulnerability, 12th & 13th Gen CPUs Receive Microcode Mitigations 1

Intel's 10th Gen CPUs and above are affected by the new "Reptar" Vulnerability" but the company has quickly rolled out a mitigation for its latest chips.

The Reptar vulnerability, which is labeled as CVE-2023-23583 is perceived as a "severe risk" mainly since it has the ability to "allow escalation of privilege and/or information disclosure and/or denial of service via local access". With a CVSS score of 8.8, Reptar has the ability to manipulate ongoing software instructions, which can pose detrimental impacts with one of them being a "'Redundant Prefix Issue". In simple terms, it is when an execution of a particular instruction is interfered with a "REX prefix" which can result in unpredictable system behavior resulting in a system crash/hang.

However, the important fact to note is that this vulnerability was discovered by Google's team of security researchers months ago. According to Tavis Ormandy, the "Reptar" can cause the CPU to malfunction, and can lead to "unexpected behavior" in terms of operations. The vulnerability had a huge impact on virtual machines, which had set the security of cloud hosts and equipment at risk, and potentially put the data of thousands of individuals at stake.

We observed some very strange behavior while testing. For example, branches to unexpected locations, unconditional branches being ignored and the processor no longer accurately recording the instruction pointer in xsave or call instructions.

Oddly, when trying to understand what was happening we would see a debugger reporting impossible states!

This already seemed like it could be indicative of a serious problem, but within a few days of experimenting we found that when multiple cores were triggering the same bug, the processor would begin to report machine check exceptions and halt.

We verified this worked even inside an unprivileged guest VM, so this already has serious security implications for cloud providers. Naturally, we reported this to Intel as soon as we confirmed this was a security issue.

-Google Security Researcher Tavis Ormandy

In terms of the response from Intel, while it was prolonged, it fortunately came by. Since the vulnerability has affected CPUs 10th generation and newer, for now, Team Blue has pushed out mitigation for Intel 12th generation, 13th generation, and 4th generation Intel Xeon processors. There haven't been any reported incidents of an active attack through "Reptar" which is why Intel may have chosen to cater to the relatively newer generations early.

To apply the mitigation in case you are worried about being potentially impacted by Reptar, you can view the list of impacted CPUs here. While this isn't certain yet, the application of the mitigation might result in performance degradation, hence you should keep this in mind before proceeding.

Products with new microcode update:

Embedded

806C2

806D1

Embedded

The following products have already been mitigated: