Researchers Discover Native Specter v2 Exploit Targeting Linux Core for First Time

ReportApril 10, 2024Editorial DepartmentHardware Security/Linux

Cybersecurity researchers have disclosed what they say is the “first native Specter v2 vulnerability” targeting the Linux kernel on Intel systems, which can be used to read sensitive data from memory.

Researchers at the VU University Systems and Network Security Group (VUSec) in Amsterdam say the vulnerability, known as Local Branch History Injection (BHI), can be used to bypass existing Specter v2/BHI mitigations at 3.5 kB/s Leak arbitrary core memory. A new study.

This shortcoming is tracked as CVE-2024-2201.

BHI was first revealed by VUSec in March 2022, describing it as a technique that can bypass Specter v2 protections in modern processors from Intel, AMD, and Arm.

Although the attack exploits the Extended Berkeley Packet Filter (eBPF), one of Intel’s recommendations to address the issue is to disable Linux’s unprivileged eBPF.

“Privileged managed runtimes can be configured to allow unprivileged users to generate and execute code in the privileged domain – such as Linux’s ‘unprivileged eBPF’ – significantly increasing the risk of transient execution attacks, even when defending against internal modes. . [Branch Target Injection] All exist,” Intel said at the time.

“The core can be configured to deny access to unprivileged eBPF by default, while still allowing administrators to enable it at runtime if desired.”

Native BHI counteracts this countermeasure by demonstrating that BHI is feasible without eBPF. It affects all Intel systems that are susceptible to BHI.

Therefore, an attacker with access to CPU resources can influence the speculative execution path through malware installed on the computer, with the goal of extracting sensitive data related to different processes.

“Existing mitigation techniques of disabling privileged eBPF and enabling (Fine)IBT are insufficient to prevent BHI exploits targeting the kernel/hypervisor,” the CERT Coordination Center (CERT/CC) said in a report.

“An unauthenticated attacker could exploit this vulnerability to leak privileged memory of the CPU by speculatively jumping to a selected gadget.”

This vulnerability has been confirmed to affect Illumos, Intel, Red Hat, SUSE Linux, Triton Data Center, and Xen. AMD said in an announcement that it was “aware” of any impact on its products.

A few weeks ago, IBM and VUSec detailed GhostRace (CVE-2024-2193), a variant of Specter v1 that combines speculative execution and race conditions to exfiltrate information in contemporary CPU architectures.

New research from ETH Zurich has revealed a series of attacks known as Ahoi attacks that can be used to compromise hardware-based Trusted Execution Environments (TEEs) and compromise Confidential Virtual Machines (CVMs) such as AMD Secure Encryption Virtualization – Secure Nested Paging (SEV-SNP) and Intel Trust Domain Extensions (TDX).

These attacks, codenamed Heckler and WeSee, exploit malicious interrupts to compromise the integrity of the CVM, potentially allowing threat actors to remotely log in and gain elevated access rights, as well as perform arbitrary reads, writes, and code injection to deactivate Firewall rules and opening a root shell.

“For Ahoi attacks, an attacker can use a hypervisor to inject malicious interrupts into the victim’s vCPU and trick it into executing interrupt handlers,” the researchers said. “These interrupt handlers can have domain-wide effects (e.g., changing application scratchpad state), an attacker can trigger these effects to compromise the victim’s CVM.”

AMD stated in response to the investigation results that the vulnerability is rooted in the Linux kernel implementation of SEV-SNP, and that fixes to address some of the issues have been upstreamed to the main Linux kernel.