Security vulnerability: Training Solo aka CVE-2024-28956, CVE-2025-24495
This document (000021845) is provided subject to the disclaimer at the end of this document.
Environment
For a complete list of affected products please review the respective SUSE Security announcements:
https://www.suse.com/security/cve/CVE-2024-28956.html
https://www.suse.com/security/cve/CVE-2025-24495.html
Situation
Security researchers of the VUSec group at VU Amsterdam found new Spectre v2 transitional execution attack in Intel CPUs.
The research focused on training the predictor within the same privilege class as the to be leaked data.
Three self-training attack classes were found:
- History-based attacks: Training could be done using in kernel methods,
with classic Berkeley Packet Filter (cBPF) programs injected by the
attacker which are allowed for all users and are used for seccomp or
packet filtering.
Mitigations requires additional code changes to the kernel, also Intel
implemented a new Indirect Branch History Fence (IBHF) instruction
supplied by newer Intel CPU Microcode (revisions 20250512 or newer).
- IP-based attacks: Attackers can force the prediction to fallback
entirely on the branch address rather than history. That way two
indirect branches could train each other when their address aliases
collide in the Branch Target Buffer. Usable gadgets to exploit
this could be found e.g. within the Linux Kernel by using automated
techniques.
No mitigation is currently suggested.
- Direct-to-indirect attacks: On certain CPUs direct
branches can train the indirect branch prediction. This behavior
is caused by two hardware issues: Indirect Target Selection (ITS)
(CVE-2024-28956) and a hardware issue on Lion Cove (CVE-2025-24495).
For ITS, this drastically increases the self-training attack surface.
Mitigations require Intel CPU Microcode updates to 20250512 or newer
to supplement the Indirect Branch Predictor Barrier (IBPB) mitigation.
Also source code adaptions are needed, adding indirect jumps in upper levels
of the cacheline that mitigates the problem.
Resolution
SUSE will release updated ucode-intel packages.
SUSE will release source code changes for the Direct-to-Indirect attacks on SLES 15 SP6 and newer kernels, as the backporting efforts are massive and too risky.
A new reporting file is added:
/sys/devices/system/cpu/vulnerabilities/indirect_target_selection
It can have this content:
Vulnerable
The kernel is vulnerable to the Indirect Target Selection attack.
Mitigation: Aligned branch/return thunks
The attack is mitigated in the kernel by aligned branch and return thunks.
Mitigation: Retpolines, Stuffing RSB
The attack is mitigated in the kernel by retpolines and/or RSB stuffing.
Configuration:
indirect_target_selection=on
The mitigations for Indirect Target selections are enabled if needed.
indirect_target_selection=off
The mitigations for Indirect Target selections are disabled.
indirect_target_selection=force
The mitigations for Indirect Target selections are always enabled.
If not specified, this mitigation follows of the global "mitigations" commandline setting.
Status
Additional Information
https://www.vusec.net/projects/training-solo/
https://www.suse.com/security/cve/CVE-2024-28956
https://www.suse.com/security/cve/CVE-2025-24495
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01153.html
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021845
- Creation Date: 20-May-2025
- Modified Date:20-May-2025
-
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
- SUSE Manager Server
- SUSE Linux Enterprise Micro
- SUSE Manager Proxy
- SUSE Linux Enterprise HPC
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com