New Reptar CPU flaw impacts Intel desktop and server systems

Intel has fixed a high-severity CPU vulnerability in its modern desktop, server, mobile, and embedded CPUs, including the latest Alder Lake, Raptor Lake, and Sapphire Rapids microarchitectures.

Attackers can exploit the flaw—tracked as CVE-2023-23583 and described as a 'Redundant Prefix Issue'—to escalate privileges, gain access to sensitive information, or trigger a denial of service state (something that could prove very costly for cloud providers).

"Under certain microarchitectural conditions, Intel has identified cases where execution of an instruction (REP MOVSB) encoded with a redundant REX prefix may result in unpredictable system behavior resulting in a system crash/hang, or, in some limited scenarios, may allow escalation of privilege (EoP) from CPL3 to CPL0," Intel said.

"Intel does not expect this issue to be encountered by any non-malicious real-world software. Redundant REX prefixes are not expected to be present in code nor generated by compilers. Malicious exploitation of this issue requires execution of arbitrary code. Intel identified the potential for escalation of privilege in limited scenarios as part of our internal security validation in a controlled Intel lab environment."

Specific systems with affected processors, including those with Alder Lake, Raptor Lake, and Sapphire Rapids, have already received updated microcodes before November 2023, with no performance impact observed or expected issues.

The company also released microcode updates to address the issue for the other CPUs, with users advised to update their BIOS, system OS, and drivers to receive the latest microcode from their original equipment manufacturer (OEM), operating system vendor (OSV), and hypervisor vendors.

The complete list of Intel CPUs affected by the CVE-2023-23583 vulnerability and mitigation guidance are available here.

"Intel recommends updating affected processors to the microcode version listed in the affected processor table below as soon as possible to mitigate this redundant prefix issue. OSVs may also provide updates containing this new microcode as soon as possible," the company added.

Reptar is a 'very strange' vulnerability

Google vulnerability researcher Tavis Ormandy revealed on November 14 that this security bug was also independently discovered by multiple research teams within Google, including Google Information Security Engineering and the silifuzz team, who dubbed it Reptar.

​As Google Cloud VP and CISO Phil Venables explained on November 14, the vulnerability is related to "how redundant prefixes are interpreted by the CPU which leads to bypassing the CPU's security boundaries if exploited successfully."

While, commonly, redundant prefixes should be ignored, they're triggering "very strange behavior" because of this vulnerability, as discovered by Ormandy during testing.