Cybersecurity researchers have revealed what they say is the “first native Specter v2 exploit” against the Linux kernel on Intel systems that could be exploited to read sensitive data from memory.
The exploit, called Native Branch History Injection (BHI), can be used to leak arbitrary kernel memory at 3.5 kB/sec while bypassing existing Specter v2/BHI mitigations, researchers at the Systems and Network Security Group (VUSec) said ) of the Vrije Universiteit Amsterdam. a new study.
The shortage is monitored as CVE-2024-2201.
BHI was first disclosed by VUSec in March 2022, describing it as a technique capable of bypassing Specter v2 protections in modern Intel, AMD and Arm processors.
Although the attack took advantage of extended Berkeley Packet Filters (eBPFs), Intel’s recommendation to resolve the issue, among other things, was to disable Linux’s non-privileged eBPFs.
“Privileged managed runtimes that can be configured to allow an unprivileged user to generate and execute code in a privileged domain – such as Linux’s ‘unprivileged eBPF’ – significantly increase the risk of transient execution attacks, even when defenses versus intra-mode [Branch Target Injection] are there,” Intel said at the time.
“The kernel can be configured to deny access to unprivileged eBPF by default, while still allowing administrators to enable it at runtime where needed.”
Native BHI counteracts this countermeasure by demonstrating that BHI is possible without eBPF. It impacts all BHI-sensitive Intel systems.
As a result, it allows an attacker with access to CPU resources to influence speculative execution paths via malicious software installed on a machine with the aim of extracting sensitive data associated with another process.
“Existing mitigation techniques to disable privileged eBPF and enable IBT (End) are not sufficient to stop exploitation of BHI against the kernel/hypervisor,” the CERT Coordination Center (CERT/CC) said in a I notify.
“An unauthenticated attacker could exploit this vulnerability to leak privileged memory from the CPU by speculatively jumping to a chosen gadget.”
The flaw has been confirmed to affect Illumos, Intel, Red Hat, SUSE Linux, Triton Data Center, and Xen. AMD, in a statement, said it was “aware of any impacts” to its products.
The disclosure comes weeks after IBM and VUSec detailed GhostRace (CVE-2024-2193), a variant of Specter v1 that uses a combination of speculative execution and race conditions to leak data from contemporary CPU architectures.
It also follows new research from ETH Zurich that revealed a family of attacks called Ahoi Attacks that could be used to compromise hardware-based trusted execution environments (TEEs) and breach confidential virtual machines (CVMs) such as AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and Intel Trust Domain Extensions (TDX).
The attacks, codenamed Heckler and WeSee, make use of malicious interrupts to violate the integrity of CVMs, potentially allowing threat actors to remotely log in and gain elevated access, as well as perform arbitrary read, write, and data injection operations. code to disable firewall rules and open a root shell.
“For Ahoi attacks, an attacker can use the hypervisor to inject malicious interrupts into the victim’s vCPUs and cause them to execute interrupt handlers,” the researchers said. “These interrupt handlers can have global effects (e.g., changing registry state in the application) that an attacker can trigger to compromise the victim’s CVM.”
In response to the findings, AMD said that the vulnerability is rooted in the Linux kernel implementation of SEV-SNP, and that fixes that address some issues have been ported to the mainline Linux kernel.