Native Spectre v2 exploit puts Intel systems running Linux at risk
It's been some time since we discussed the initial Spectre security flaw that impacted numerous CPUs, and which was subsequently followed by the Spectre v2 vulnerability. Now there are new concerns following the discovery of the first native Spectre v2 exploit against the Linux kernel.
Researchers from the Systems and Network Security Group at Vrije Universiteit Amsterdam (VUSec) have demonstrated that Intel CPUs running Linux are vulnerable to Native Branch History Injection (BHI). VUSec says its InSpectre Gadget tool can be used to "not only uncover new (unconventionally) exploitable gadgets in the Linux kernel, but that those gadgets are sufficient to bypass all deployed Intel mitigations".
See also:
- Here are the best new features of Windows 11 Moment 5 -- and why you should install it now right!
- Microsoft is actively blocking Windows 11 tweaking tools
- Microsoft releases PowerToys v0.80.0 with new Winget-powered Desired State Configuration feature
Tracked as CVE-2024-2201, the flaw exploit was discovered last month, and Intel provided advice -- specifically disabling Linux's unprivileged eBPFs -- but this has now been shown to be ineffective. In an advisory entitled "Linux kernel on Intel systems is susceptible to Spectre v2 attacks", CERT says:
A new cross-privilege Spectre v2 vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v2 branch history injection (BHI) are likely affected. An unauthenticated attacker can exploit this vulnerability to leak privileged memory from the CPU by speculatively jumping to a chosen gadget. Current research shows that existing mitigation techniques of disabling privileged eBPF and enabling (Fine)IBT are insufficient in stopping BHI exploitation against the kernel/hypervisor.
There is an additional warning that:
Current mitigations rely on the unavailability of exploitable gadgets to eliminate the attack surface. However, researchers demonstrated that with the use of their gadget analysis tool, InSpectre Gadget, they can uncover new, exploitable gadgets in the Linux kernel and that those are sufficient at bypassing deployed Intel mitigations.
VUSec has shared a demo of the exploit in action. In the video, the Native BHI attack leaks the root password hash on a 13th Gen Intel Core with Linux kernel 6.6-rc4 (Ubuntu)
More information is available in the VUSec report here, while Intel has a list of affected processors here and BHI details here. It is also worth taking a look at the CERT Coordination Center where there are constantly updated links to further information, updates and patches.
Image credit: andron19821982 / depositphotos