SUSE Support

Here When You Need Us

Security vulnerability: Training Solo aka CVE-2024-28956, CVE-2025-24495

This document (000021845) is provided subject to the disclaimer at the end of this document.

Environment

For a complete list of affected products please review the respective SUSE Security announcements:

https://www.suse.com/security/cve/CVE-2024-28956.html
https://www.suse.com/security/cve/CVE-2025-24495.html


Situation

Security researchers of the VUSec group at VU Amsterdam found new Spectre v2 transitional execution attack in Intel CPUs.

The research focused on training the predictor within the same privilege class as the to be leaked data.

Three self-training attack classes were found:

- History-based attacks: Training could be done using in kernel methods,
  with classic Berkeley Packet Filter (cBPF) programs injected by the
  attacker which are allowed for all users and are used for seccomp or
  packet filtering.

  Mitigations requires additional code changes to the kernel, also Intel
  implemented a new Indirect Branch History Fence (IBHF) instruction
  supplied by newer Intel CPU Microcode (revisions 20250512 or newer).

- IP-based attacks: Attackers can force the prediction to fallback
  entirely on the branch address rather than history. That way two
  indirect branches could train each other when their address aliases
  collide in the Branch Target Buffer. Usable gadgets to exploit
  this could be found e.g. within the Linux Kernel by using automated
  techniques.

  No mitigation is currently suggested.

- Direct-to-indirect attacks: On certain CPUs direct
  branches can train the indirect branch prediction.  This behavior
  is caused by two hardware issues: Indirect Target Selection (ITS)
  (CVE-2024-28956) and a hardware issue on Lion Cove (CVE-2025-24495).
  For ITS, this drastically increases the self-training attack surface.

  Mitigations require Intel CPU Microcode updates to 20250512 or newer
  to supplement the Indirect Branch Predictor Barrier (IBPB) mitigation.

  Also source code adaptions are needed, adding indirect jumps in upper levels
  of the cacheline that mitigates the problem.

Resolution

SUSE will release updated ucode-intel packages.

SUSE will release source code changes for the Direct-to-Indirect attacks on SLES 15 SP6 and newer kernels, as the backporting efforts are massive and too risky.

A new reporting file is added:

/sys/devices/system/cpu/vulnerabilities/indirect_target_selection

It can have this content:

    Vulnerable
        The kernel is vulnerable to the Indirect Target Selection attack.

    Mitigation: Aligned branch/return thunks

        The attack is mitigated in the kernel by aligned branch and return thunks. 

    Mitigation: Retpolines, Stuffing RSB

        The attack is mitigated in the kernel by retpolines and/or RSB stuffing.

Configuration:

    indirect_target_selection=on

        The mitigations for Indirect Target selections are enabled if needed.

    indirect_target_selection=off

        The mitigations for Indirect Target selections are disabled.

    indirect_target_selection=force

        The mitigations for Indirect Target selections are always enabled.

    If not specified, this mitigation follows of the global "mitigations" commandline setting.

Status

Security Alert

Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021845
  • Creation Date: 20-May-2025
  • Modified Date:20-May-2025
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications
    • SUSE Manager Server
    • SUSE Linux Enterprise Micro
    • SUSE Manager Proxy
    • SUSE Linux Enterprise HPC

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.