Linux kernel recently fixed a couple of vulnerabilities that could allow an attacker to bypass mitigations designed to protect devices against Spectre attacks.
Kernel updates released in March have addressed a couple of vulnerabilities that could be exploited by an attacker to bypass mitigations designed to protect devices against Spectre attacks.
In January 2018, White hackers from Google Project Zero disclosed vulnerabilities, affecting all modern Intel CPUs, dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715). The issue could be exploited by attackers to steal sensitive data processed by the CPU.
Intel released patches and mitigations for these vulnerabilities but many devices have yet to apply them.
Symantec researcher Piotr Krysiuk, has disclosed this week two new vulnerabilities in the Linux kernel, respectively tracked as CVE-2020-27170 and CVE-2020-27171, that can be exploited by attackers to bypass mitigations for the Spectre flaws.
The CVE-2020-27170 flaw resides in the extended Berkeley Packet Filter (eBPF) technology used by the Linux kernel. By default accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN, but a local user with the ability to insert eBPF instructions can use the eBPF verifier to abuse a Spectre like flaw to access all the content of the device’s memory.
“An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.” reads the description for this CVE-2020-27170.
The CVE-2020-27171 flaw also resides in the extended Berkeley Packet Filter (eBPF) technology. The issue triggers Integer underflow when restricting speculative pointer arithmetic allows unprivileged local users to leak the content of kernel memory. This flaw can be exploited to access contents from a 4Gb range of kernel memory.
“The most likely scenario where these vulnerabilities could be exploited is in a situation where multiple users have access to a single affected computer – as could be the case in workplace situations etc. In this scenario, any of the unprivileged users could abuse one of the identified vulnerabilities to extract contents of the kernel memory to locate secrets from other users.” reads the blog post published by Symantec.
“The bugs could also potentially be exploited if a malicious actor was able to gain access to an exploitable machine via a prior step – such as downloading malware onto the machine to achieve remote access – this could then allow them to exploit these vulnerabilities to gain access to all user profiles on the machine.”
Both vulnerabilities have been addressed with the release of kernel updates in March, several major Linux distributions, including Debian, Ubuntu and Red Hat, already implemented them.
Recently, Google released Spectre proof-of-concept (PoC) code to conduct Spectre attacks against its Chrome browser to share knowledge of browser-based side-channel attacks.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Spectre)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Linux kernel recently fixed a couple of vulnerabilities that could allow an attacker to bypass mitigations designed to protect devices against Spectre attacks.
Kernel updates released in March have addressed a couple of vulnerabilities that could be exploited by an attacker to bypass mitigations designed to protect devices against Spectre attacks.
In January 2018, White hackers from Google Project Zero disclosed vulnerabilities, affecting all modern Intel CPUs, dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715). The issue could be exploited by attackers to steal sensitive data processed by the CPU.
Intel released patches and mitigations for these vulnerabilities but many devices have yet to apply them.
Symantec researcher Piotr Krysiuk, has disclosed this week two new vulnerabilities in the Linux kernel, respectively tracked as CVE-2020-27170 and CVE-2020-27171, that can be exploited by attackers to bypass mitigations for the Spectre flaws.
The CVE-2020-27170 flaw resides in the extended Berkeley Packet Filter (eBPF) technology used by the Linux kernel. By default accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN, but a local user with the ability to insert eBPF instructions can use the eBPF verifier to abuse a Spectre like flaw to access all the content of the device’s memory.
“An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.” reads the description for this CVE-2020-27170.
The CVE-2020-27171 flaw also resides in the extended Berkeley Packet Filter (eBPF) technology. The issue triggers Integer underflow when restricting speculative pointer arithmetic allows unprivileged local users to leak the content of kernel memory. This flaw can be exploited to access contents from a 4Gb range of kernel memory.
“The most likely scenario where these vulnerabilities could be exploited is in a situation where multiple users have access to a single affected computer – as could be the case in workplace situations etc. In this scenario, any of the unprivileged users could abuse one of the identified vulnerabilities to extract contents of the kernel memory to locate secrets from other users.” reads the blog post published by Symantec.
“The bugs could also potentially be exploited if a malicious actor was able to gain access to an exploitable machine via a prior step – such as downloading malware onto the machine to achieve remote access – this could then allow them to exploit these vulnerabilities to gain access to all user profiles on the machine.”
Both vulnerabilities have been addressed with the release of kernel updates in March, several major Linux distributions, including Debian, Ubuntu and Red Hat, already implemented them.
Recently, Google released Spectre proof-of-concept (PoC) code to conduct Spectre attacks against its Chrome browser to share knowledge of browser-based side-channel attacks.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Spectre)