Intel has released patches to address a critical flaw known as Reptar that affects its desktop, mobile, and server CPUs.
The vulnerability, identified as CVE-2023-23583 (CVSS score: 8.8), has the potential to “allow escalation of privilege, information disclosure, and/or denial of service via local access.”
According to Google Cloud, successful exploitation of the vulnerability could also allow a bypass of the CPU’s security bounds, as it is caused by how redundant prefixes are read by the processor.
“The impact of this vulnerability is demonstrated when exploited by an attacker in a multi-tenant virtualized environment, as the exploit on a guest machine causes the host machine to crash resulting in a Denial of Service to other guest machines running on the same host,” Phil Venables, vice president of Google Cloud, said.
“Additionally, the vulnerability could potentially lead to information disclosure or privilege escalation.”
In a separate investigation of Reptar, security researcher Tavis Normandy stated that it can be misused to corrupt the system state and induce a machine-check exception.
Intel has issued a revised microcode for all relevant chips as part of the November 2023 releases. The complete list of Intel CPUs affected by CVE-2023-23583 may be found here. There is no evidence of any active attacks exploiting this flaw.
“Intel does not expect this issue to be encountered by any non-malicious real-world software,” the company stated in a November 14 statement. “Malicious exploitation of this issue requires execution of arbitrary code.”
The disclosure corresponds with the availability of patches for CacheWarp (CVE-2023-20592), a security weakness in AMD processors that allows malicious actors to break into AMD SEV-protected VMs and escalate privileges and acquire remote code execution.