Intel has launched fixes to shut out a high-severity flaw codenamed Reptar that impacts its desktop, cellular, and server CPUs.
Tracked as CVE-2023-23583 (CVSS rating: 8.8), the subject has the potential to “permit escalation of privilege and/or data disclosure and/or denial of service by way of native entry.”
Profitable exploitation of the vulnerability might additionally allow a bypass of the CPU’s safety boundaries, based on Google Cloud, describing it as a difficulty stemming from how redundant prefixes are interpreted by the processor.
“The influence of this vulnerability is demonstrated when exploited by an attacker in a multi-tenant virtualized surroundings, because the exploit on a visitor machine causes the host machine to crash leading to a Denial of Service to different visitor machines working on the identical host,” Google Cloud’s Phil Venables stated.
“Moreover, the vulnerability might doubtlessly result in data disclosure or privilege escalation.”
Safety researcher Tavis Normandy, in a separate evaluation of Reptar, stated it may be abused to deprave the system state and power a machine-check exception.
Intel, as a part of November 2023 updates, has printed up to date microcode for all affected processors. The entire listing of Intel CPUs impacted by CVE-2023-23583 is accessible right here. There may be no proof of any energetic assaults utilizing this vulnerability.
“Intel doesn’t anticipate this subject to be encountered by any non-malicious real-world software program,” the corporate stated in a steerage issued on November 14. “Malicious exploitation of this subject requires execution of arbitrary code.”
The disclosure coincides with the discharge of patches for a safety flaw in AMD processors referred to as CacheWarp (CVE-2023-20592) that lets malicious actors break into AMD SEV-protected VMs to escalate privileges and achieve distant code execution.