Kernel updates released in March have addressed a couple of vulnerabilities that could be exploited by an attacker to bypass mitigations designed to protect devices against Spectre attacks.
In January 2018, White hackers from Google Project Zero disclosed vulnerabilities, affecting all modern Intel CPUs, dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715). The issue could be exploited by attackers to steal sensitive data processed by the CPU.
Intel released patches and mitigations for these vulnerabilities but many devices have yet to apply them.
Symantec researcher Piotr Krysiuk, has disclosed this week two new vulnerabilities in the Linux kernel, respectively tracked as CVE-2020-27170 and CVE-2020-27171, that can be exploited by attackers to bypass mitigations for the Spectre flaws.
The CVE-2020-27170 flaw resides in the extended Berkeley Packet Filter (eBPF) technology used by the Linux kernel. By default accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN, but a local user with the ability to insert eBPF instructions can use the eBPF verifier to abuse a Spectre like flaw to access all the content of the device’s memory.
“An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-f232326f6966. This affects pointer types that do not define a ptr_limit.” reads the description for this CVE-2020-27170.
The CVE-2020-27171 flaw also resides in the extended Berkeley Packet Filter (eBPF) technology. The issue triggers Integer underflow when restricting speculative pointer arithmetic allows unprivileged local users to leak the content of kernel memory. This flaw can be exploited to access contents from a 4Gb range of kernel memory.
“The most likely scenario where these vulnerabilities could be exploited is in a situation where multiple users have access to a single affected computer – as could be the case in workplace situations etc. In this scenario, any of the unprivileged users could abuse one of the identified vulnerabilities to extract contents of the kernel memory to locate secrets from other users.” reads the blog post published by Symantec.
“The bugs could also potentially be exploited if a malicious actor was able to gain access to an exploitable machine via a prior step – such as downloading malware onto the machine to achieve remote access – this could then allow them to exploit these vulnerabilities to gain access to all user profiles on the machine.”
Both vulnerabilities have been addressed with the release of kernel updates in March, several major Linux distributions, including Debian, Ubuntu and Red Hat, already implemented them.
Recently, Google released Spectre proof-of-concept (PoC) code to conduct Spectre attacks against its Chrome browser to share knowledge of browser-based side-channel attacks.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Spectre)