There has been several BWAIN PC hardware vulnerabilities published this summer. BWAIN is a short name for a Bug With An Impressive Name. BWAIN is an accolade that we hand out when a new cybersecurity flaw not only turns out to be interesting and important, but also turns up with its own logo, domain name and website.

UEFI malware

CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards https://www.bleepingcomputer.com/news/security/cosmicstrand-uefi-malware-found-in-gigabyte-asus-motherboards/
Chinese-speaking hackers have been using since at least 2016 malware that lies virtually undetected in the firmware images for some motherboards, one of the most persistent threats commonly known as a UEFI rootkit. Researchers at cybersecurity company Kaspersky called the most well known UEFI rootkit CosmicStrand but an earlier variant of the threat (found in machines with ASUS and Gigabyte motherboards) is named Spy Shadow Trojan.

Discovery of new UEFI rootkit exposes an ugly truth: The attacks are invisible to us | Ars Technica
https://arstechnica.com/information-technology/2022/07/researchers-unpack-unkillable-uefi-rootkit-that-survives-os-reinstalls/

Retbleed

New Retbleed speculative execution CPU attack bypasses Retpoline fixes https://www.bleepingcomputer.com/news/security/new-retbleed-speculative-execution-cpu-attack-bypasses-retpoline-fixes/
Security researchers have discovered a new speculative execution attack called Retbleed that affects processors from both Intel and AMD and could be used to extract sensitive information. Retbleed focuses on return instructions, which are part of the retpoline software mitigation against the speculative execution class of attacks that became known starting early 2018, with Spectre. The issue impacts Intel Core CPUs from generation 6 (Skylake – 2015) through 8 (Coffee Lake – 2017) and AMD Zen 1, Zen 1+, Zen 2 released between 2017 and 2019.

Retbleed (CVE-2022-29900 and CVE-2022-29901) is the new addition to the family of speculative execution attacks that exploit branch target injection to leak information, which we call Spectre-BTI. Unlike its siblings, who trigger harmful branch target speculation by exploiting indirect jumps or calls, Retbleed exploits return instructions. This means a great deal, since it undermines some of our current Spectre-BTI defenses.

Read more:
https://comsec.ethz.ch/wp-content/files/retbleed_sec22.pdf
New Spectre-type ‘Retbleed’ vulnerability drops. Will attackers use it?
https://www.scmagazine.com/analysis/threat-intelligence/new-spectre-type-retbleed-vulnerability-drops-will-attackers-use-it
Retbleed: Arbitrary Speculative Code Execution with Return Instructions
https://comsec.ethz.ch/research/microarch/retbleed/
Retbleed: New Speculative Execution Attack Targets Intel, AMD Processors: Researchers with ETH Zurich have devised a new speculative execution attack that undermines current Spectre defenses to leak information from Intel and AMD processors.
https://www.securityweek.com/retbleed-new-speculative-execution-attack-targets-intel-amd-processors

Herzbleed

What’s Hertzbleed, and what’s so unique about it?
https://www.kaspersky.com/blog/hertzbleed-attack/44824/
In June, researchers from three US universities published a paper describing a actual attack that abuses the fact that CPU frequency changes depend on the load thereon (standard behavior for modern CPUs). CPU frequency is measured in hertz, hence the name Hertzbleed, hinting that a change in this frequency leads to data leakage. Hertzbleed can operate remotely!. The study is of great interest and, despite its complexity, can be summarized in layman’s terms.

ÆPIC Leak

APIC/EPIC! Intel chips leak secrets even the kernel shouldnt see https://nakedsecurity.sophos.com/2022/08/10/apic-epic-intel-chips-leak-secrets-even-the-kernel-shouldnt-see/

This one is dubbed ÆPIC Leak, a pun on the words APIC and EPIC. The former is short for Advanced Programmable Interrupt Controller, and the latter is simply the word epic, as in giant, massive, extreme, mega, humongous.

ÆPIC Leak: Architectural Bug in Intel CPUs Exposes Protected Data
https://www.securityweek.com/aepic-leak-architectural-bug-intel-cpus-exposes-protected-data

A group of researchers from several universities and companies has disclosed a new Intel CPU attack method that could allow an attacker to obtain potentially sensitive information.
The research was conducted by researchers from the Sapienza University of Rome, the Graz University of Technology, the CISPA Helmholtz Center for Information Security, and Amazon Web Services.

The attack method has been dubbed AEPIC Leak — spelled ÆPIC Leak — and it’s related to the Advanced Programmable Interrupt Controller (APIC). This integrated CPU component is responsible for accepting, prioritizing, and dispatching interrupts to processors. When it’s in xAPIC mode, the APIC registers are accessed through a memory-mapped I/O (MMIO) page.
However, the researchers pointed out that unlike Meltdown and Spectre, which are transient execution attacks, AEPIC Leak exists due to an architectural bug, which leads to the disclosure of sensitive data without leveraging any side channel. They described it as “the first CPU bug able to architecturally disclose sensitive data.”
ÆPIC Leak, officially tracked as CVE-2022-21233, has been described as an uninitialized memory read issue that affects Intel CPUs.
Mitigations rolled out for recent side-channel attacks do not protect systems against ÆPIC Leak attacks. Instead, Intel is making available microcode updates and SGX SDK patches that address the vulnerability.
Intel, which described it as a medium-severity issue related to improper isolation of shared resources, published an advisory and provided a list of impacted products.
A research paper detailing ÆPIC Leak is available, as well as a dedicated website summarizing the findings. Proof-of-concept (PoC) exploit code has also been released.
https://aepicleak.com/
https://github.com/IAIK/AEPIC
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00657.html
Summary:
A potential security vulnerability in some Intel® Processors may allow information disclosure. Intel is releasing firmware updates to address this potential vulnerability.
Vulnerability Details:
CVEID: CVE-2022-21233
Description: Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Affected Products:
Consult this list of affected products here.
Affected Processors: Transient Execution Attacks & Related Security Issues by CPU
https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

Architecturally Leaking Uninitialized Data from the Microarchitecture
https://aepicleak.com/
ÆPIC Leak is the first CPU bug able to architecturally disclose sensitive data. It leverages a vulnerability in recent Intel CPUs to leak secrets from the processor itself: on most 10th, 11th and 12th generation Intel CPUs the APIC MMIO undefined range incorrectly returns stale data from the cache hierarchy.
In contrast to transient execution attacks like Meltdown and Spectre, ÆPIC Leak is an architectural bug: the sensitive data gets directly disclosed without relying on any (noisy) side channel. ÆPIC Leak is like an uninitialized memory read in the CPU itself.
A privileged attacker (Administrator or root) is required to access APIC MMIO. Thus, most systems are safe from ÆPIC Leak. However, systems relying on SGX to protect data from privileged attackers would be at risk, thus, have to be patched.

SQUIP

AMD Processors Expose Sensitive Data to New ‘SQUIP’ Attack
https://www.securityweek.com/amd-processors-expose-sensitive-data-new-squip-attack
A group of academic researchers on published a paper describing the first side-channel attack targeting the scheduler queues of modern processors.
Superscalar processors rely on scheduler queues to decide the schedule of the instructions being executed. Intel CPUs have a single scheduler queue, but chips made by Apple and AMD have separate queues for each execution unit.
AMD processors also implement simultaneous multithreading (SMT), where a CPU core is split into multiple logical cores or hardware threads that execute independent instruction streams.
Researchers from the Graz University of Technology, the Georgia Institute of Technology, and the Lamarr Security Research non-profit research center discovered that an attacker on the same hardware core as the victim but in a different SMT thread can measure scheduler contention to obtain sensitive data. The attack method has been dubbed SQUIP (Scheduler Queue Usage via Interference Probing).
“An attacker running on the same host and CPU core as you could spy on which types of instructions you are executing due to the split-scheduler design on AMD CPUs.”
AMD was informed about the issue in December 2021 and assigned it the CVE identifier CVE-2021-46778 and a severity rating of ‘medium’. The chip giant published an advisory informing customers that Zen 1, Zen 2 and Zen 3 microarchitectures are impacted.
The list of affected products includes Ryzen, Athlon and EPYC processors for desktops, workstations, mobile devices, Chromebooks, and servers.
While Intel and Apple products are currently not impacted, they have been notified as well.

New Vulnerability Affects All AMD Zen CPUs: Threading May Need to Be Disabled
Side-channel SQUIP vulnerability affects all SMT-enabled Zen CPUs.
https://www.tomshardware.com/news/new-vulnerability-affects-all-amd-zen-cpus

SQUIP: Exploiting the Scheduler Queue Contention Side Channel
https://stefangast.eu/papers/squip.pdf

As shown, using the SQUIP side channel, an unprivileged attacker can extract sensitive information from a co-located victim within less than 45 min, achieving very low
error rates. To summarize, the SQUIP attack exploits 1) that the ALUs are connected to different schedulers, 2) that the ALUs have different capabilities, 3) that co-located pro-
cesses compete for free slots in the scheduler queues and 4) that the control flow of the RSA implementation is secret-dependent. Without any of these four prerequisites, the demonstrated attack no longer works, so that possible countermeasures can target all of them.

Future CPU designs can avoid being vulnerable to the SQUIP attack by 1) using a single scheduler design, 2) making the schedulers symmetric, or 3) isolating hardware
threads more strictly in the scheduler queues

Execution Unit Scheduler Contention Side-Channel Vulnerability on AMD Processors
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1039
Bulletin ID:   AMD-SB-1039
Potential Impact: Information Disclosure
Severity: Medium
Summary
CVE-2021-46778
Execution unit scheduler contention may lead to a side channel vulnerability found on AMD CPU microarchitectures codenamed “Zen 1”, “Zen 2” and “Zen 3” that use simultaneous multithreading (SMT). By measuring the contention level on scheduler queues an attacker may potentially leak sensitive information.

Affected Products 
Desktop
AMD Ryzen™ 2000 series Desktop processors
AMD Ryzen™ 3000 Series Desktop processors
AMD Ryzen™ 5000 Series Desktop processors
AMD Ryzen™ 4000 Series Desktop processors with Radeon™ graphics
AMD Ryzen™ 5000 Series Desktop processors with Radeon™ graphics
High-End Desktop (HEDT)
2nd Gen AMD Ryzen™ Threadripper™ processors
3rd Gen AMD Ryzen™ Threadripper™ processors
Workstation
AMD Ryzen™ Threadripper™ PRO processors
Mobile
AMD Athlon™ 3000 Series Mobile processors with Radeon™ graphics
AMD Ryzen™ 2000 Series Mobile processors
AMD Ryzen™ 3000 Series Mobile processors, 2nd Gen AMD Ryzen™ Mobile processors with Radeon™ graphics
AMD Ryzen™ 3000 Series Mobile processors with Radeon™ graphics
AMD Ryzen™ 4000 Series Mobile processors with Radeon™ graphics
AMD Ryzen™ 5000 Series Mobile processors with Radeon™ graphics

Chromebook
AMD Athlon™ 3000 Series Mobile processors with Radeon™ graphics
AMD Athlon™ Mobile processors with Radeon™ graphics
AMD Ryzen™ 3000 Series Mobile processors with Radeon™ graphics
Server
1st Gen AMD EPYC™ processors
2nd Gen AMD EPYC™ processors
3rd Gen AMD EPYC™ processors 

Mitigation
AMD recommends software developers employ existing best practices1,2, including constant-time algorithms and avoiding secret-dependent control flows where appropriate to help mitigate this potential vulnerability.