Demystifying CPU Microcode: Vulnerabilities, Updates, and Remediation
Attacks against low-level CPU architecture popped up on most tech people’s radar after the introduction of the Spectre and Meltdown vulnerabilities were made public. Since then there have been several more vulnerabilities affecting both Intel and AMD CPUs in the same category of speculative execution bugs. The goal of this article is to provide a basic understanding of CPU microcode, the attacks, and more importantly how you can remediate the vulnerabilities (and the impact of remediation).
What is CPU Microcode?
CPU microcode represents low-level instructions essential for the proper CPU functioning, acting as a bridge between the CPU’s architecture and the electronic circuits that execute instructions. Microcode resides directly on the CPU and translates higher-level instructions into operations that the CPU can understand and execute. Microcode enables manufacturers to fix bugs, improve performance, and address security vulnerabilities without the need for physical hardware changes or full-scale firmware updates. However, microcode can also introduce vulnerabilities, underscoring the importance of its management and security.
How is CPU Microcode Protected and Distributed?
To ensure the authenticity and integrity of CPU microcode, it is signed using digital signatures. binding the microcode to a specific manufacturer and preventing tampering during transmission or storage. The journey of a microcode update begins with the CPU manufacturer, such as Intel or AMD, where it is tested and ultimately signed and distributed. Some microcode updates are integrated into operating system updates. When you install a system update, it may include the latest microcode for your CPU. System and motherboard manufacturers may also provide microcode updates specific to their hardware. These updates are often bundled with BIOS/UEFI firmware updates. In some cases, microcode updates can be distributed automatically via operating system update mechanisms. This ensures that users receive critical microcode updates without manual intervention. For advanced users or in cases where automatic updates are not available, microcode updates can be manually installed by downloading the update from the manufacturer’s website and following their installation instructions.
Once obtained, microcode updates are applied to the CPU during the system’s boot process. The CPU microcode is loaded into the CPU’s microcode storage, replacing the previous version. This update process is designed to be transparent to the user and typically does not require any special user interaction.
Attacks Against The CPU
While updates to the microcode on your CPU can mitigate a number of bugs and vulnerabilities dealing with cache timing and speculative execution classes have been the security drivers behind updates and CPU architecture improvements. Below is a list of the more popular vulnerabilities related to CPU microcode and speculative execution:
- 2005 – 2017 – Branch Target Buffer Attacks and other CPU side-channel attacks: Colin Percival’s research demonstrated a practical attack on modern processors using the branch target buffer. This attack could potentially leak information and was demonstrated by extracting an OpenSSL RSA key. Several other papers on the subject were published during this time, however, mainstream attention was not garnered until Spectre and Meltdown were published in 2018.
- January 2018 – Spectre – Researchers at Google Project Zero and elsewhere disclosed the Spectre vulnerability (CVE-2017-5753 and CVE-2017-5715). Spectre is a class of speculative execution vulnerabilities that affect a wide range of processors.
- January 2018 – Meltdown – Researchers disclosed the Meltdown vulnerability (CVE-2017-5754), which primarily affected Intel processors. Meltdown allowed unauthorized access to kernel memory.
- Note: In 2021 Spectre v2 Variants were disclosed (Spectre-BHB, Spectre-PR2, Spectre-SSB, and others)
- 2018 – RIDL (Rogue In-Flight Data Load) – Affecting Intel chips produced as early as 2008 the RIDL vulnerability was discovered by the same researchers that disclosed the ZombieLoad and Fallout vulnerabilities. RIDL be used to leak data from the vulnerable CPU’s various internal buffers (select regions of allocated memory used to store or load data).
- May 2018 – Fallout – Researchers disclosed the Fallout vulnerability (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091), which exploited speculative execution to read data from Intel CPUs’ microarchitectural buffers.
- August 2018 – Foreshadow – Researchers revealed the Foreshadow vulnerability (CVE-2018-3615 and CVE-2018-3620), which targeted Intel SGX (Software Guard Extensions), allowing attackers to extract sensitive information.
- May 2019 – ZombieLoad – Researchers disclosed the ZombieLoad vulnerability (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091). It affected Intel processors and allowed attackers to exploit speculative execution to read data from other processes.
- January 2020 – CacheOut – CacheOut (CVE-2020-0549) was disclosed. This speculative execution attack could leak data from other processes or virtual machines running on the same CPU, even when SMT (Simultaneous Multi-Threading) is disabled.
- March 2020 – LVI (Load Value Injection) – Another speculative execution vulnerability that can be used to inject data into a victim’s transient execution. It affects Intel processors and can leak sensitive information.
- July 2023 – AMD Zenbleed – The Zenbleed vulnerability (CVE-2023-20593) is yet another speculative execution bug that allows data to be exfiltrated at high rate of speed (for this type of attack) clocking in at 30kb per core, per second.
- August 2023 – AMD Inception – AMD’s Zen 3 and Zen 4 CPUs are affected by the ‘Inception’ vulnerability. Like many of the attacks on this list, inception is a side-channel attack that can lead to the exposure of secure data.
- August 2023 – Intel Downfall – Identified as CVE-2022-40982, Downfall is one of the most recent examples of speculative execution bugs, this time taking advantage of memory optimization features in Intel processors to access user data.
Applying Microcode Updates
Given the long list of vulnerabilities mitigated by CPU microcode updates, you may be motivated to start applying these to your systems. While it is recommended that microcode updates be applied, be mindful of the effects such as negative performance impacts. There are many variables to consider with respect to performance, such as the CPU and workload types, so risk-based decisions must be made. There are three ways in which microcode updates can be applied:
- BIOS/UEFI Updates – Once the CPU manufacturer releases the microcode update typically the OEM that is using the affected processors will incorporate the microcode update into the UEFI update. This means in order to get the CPU microcode updated you will be applying the UEFI update and everything else that the OEM has included in it. Typically there are other firmware/software updates included in the UEFI update.
- Operating System Updates – Windows and Linux (as well as other operating systems such as macOS) will include microcode updates as part of the operating system updates. For example, when I updated one of my Linux systems the facilities within Linux successfully updated the CPU microcode such that I am no longer vulnerable to the Zenbleed vulnerability.
- Manually By The User – It is possible to acquire the microcode update from Intel or AMD (as an example) and apply it manually using operating system-specific tools. There are resources at the end of this article that provide some details, but this is best left to advanced users.
How Eclypsium Can Help
Functionality provided by the Eclypsium platform includes the identification of CPU microcode, the version being used, and an indication of whether or not it is outdated. Keep in mind this functionality may be different depending on CPU architecture and type. The example below is a finding from our test platform that has identified 58 systems with outdated microcode:
The Eclypsium platform also identified several different vulnerabilities associated with outdated CPU microcode, including many listed in this article. Below we can see that 7 systems are vulnerable to the recent Intel Downfall vulnerability:
CPU microcode is an integral part of modern processors, serving to improve performance, fix bugs, and address security vulnerabilities. Its secure signing, distribution, and application processes are essential for maintaining the integrity and reliability of computing devices. We encourage users to stay vigilant and ensure that their systems receive timely microcode updates to benefit from the latest improvements and security enhancements provided by CPU manufacturers.
- Intel, AMD, VIA & Freescale CPU Microcode Repositories
- Debian Microcode Guide
- https://www.phoronix.com/news/Intel-12-May-2023-Microcode – Intel Issues New CPU Microcode Going Back To Gen8 For New, Undisclosed Security Update – The interesting note in this article is from an Intel official statement regarding the “NA” moniker on microcode updates that indicates the update was not security related.
- https://github.com/chip-red-pill/MicrocodeDecryptor – Security researchers were able to leverage vulnerabilities in Intel TXE and activated an undocumented debugging mode called “red unlock”. This allowed the researcher to extract dumps of microcode directly from select Intel CPUs.
- https://www.linuxfromscratch.org/blfs/view/svn/postlfs/firmware.html – Good explanation of how microcode updates work, especially on Linux.
- https://github.com/AMDESE/amd_ucode_info – “amd_ucode_info.py provides a means to parse and display information about an amd-ucode (CPU microcode) container file in the format consumed by the linux kernel.”
- https://github.com/speed47/spectre-meltdown-checker – This script for Linux systems allows you to check for several of the speculative execution class of vulnerabilities listed in this article. Please note this is a free tool, provided by a group of volunteers and states: “This tool has been released in the hope that it’ll be useful, but don’t use it to jump to definitive conclusions about your security: hardware vulnerabilities are complex beasts, and collective understanding of each vulnerability is evolving with time.”
- Intel Microcode Update Guidance