Retbleed – serious vulnerability discovered in microprocessors

12.07.2022 - Security researchers from the ETH Zürich have discovered a serious security vulnerability in Intel and AMD microprocessors. The vulnerability, called Retbleed, potentially allows an attacker to access any memory area. Initial countermeasures have already been defined. The NCSC has assigned the internationally valid CVE identifiers for the vulnerability of both manufacturers.

Melden Sie Schwachstellen

In order to avoid the exploitation of vulnerabilities in IT systems as far as possible, it is extremely important that they be remedied quickly and that operators and manufacturers worldwide be notified. Security researchers from the ETH Zurich have discovered a serious security vulnerability in Intel and AMD microprocessors. In collaboration and consultation with the researchers at the ETH Zurich, the NCSC has assigned the CVE identifiers CVE-2022-29900 (AMD processors) and CVE-2022-29901 (Intel processors) for this vulnerability. The assignment of a CVE (Common Vulnerabilities and Exposure) identifier allows the clear worldwide identification of vulnerabilities. Since the processors concerned are used all over the world, the vulnerability is classified as serious. However, the manufacturers have already introduced initial measures to rectify the vulnerability.

Vulnerability discovered and reported by ETH Zurich

In the first quarter of this year, researchers at the ETH Zurich informed the manufacturers AMD and Intel about a vulnerability they had discovered in their microprocessors; they also informed the NCSC. The vulnerability, which the researchers named Retbleed, allows an attacker to gain unauthorised access to memory areas and thus obtain all kinds of system information. This is especially dangerous in cloud environments, in which different clients and companies use shared infrastructures and computer systems. The researchers reckon that in all probability, Intel microprocessors between three and six years old and AMD processors between one and eleven years old are affected. The vulnerability has been classified as serious. However, exploiting it is extremely laborious – it requires relevant specialist knowledge and assumes that the potential attacker is able to run program code locally on a system. The affected manufacturers are working urgently on security patches which they will issue rapidly. You can find further information on the Retbleed vulnerability in the ETH Zurich's working paper.

Coordinated by NCSC

In September 2021, the MITRE non-profit corporation recognised the NCSC as a Numbering Authority for the assignment of CVE identifiers. In November 2021, it assigned its first CVE identifier to a hardware vulnerability called Blacksmith, which was also discovered by the ETH Zurich.

In the meantime, the NCSC has published a total of 24 vulnerabilities, 20 of which concerned software and 4 related to hardware components. The list of vulnerabilities on the NCSC website is constantly updated. Most of the vulnerabilities were reported to the NCSC by security researchers as part of the Coordinated Vulnerability Disclosure programme. Essentially, this involves the responsible handling of vulnerabilities, with the aim of only making them public once the manufacturer or the affected organisation has been informed and a corresponding solution is available, e.g. in the form of a product update.

Both vulnerabilities in Federal Administration systems and, more generally, vulnerabilities in IT products and systems with a connection to Switzerland can be reported to the NCSC with the online form. As a Numbering Authority, the NCSC is responsible for the checking, coordination and publication of discovered vulnerabilities. The NCSC's role as coordinator is greatly appreciated by the involved parties, who avail themselves of it regularly.

Last modification 12.07.2022

Top of page