Researchers have demonstrated the “first native Spectre v2 exploit” for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors.
Spectre V2 is a new variant of the original Spectre attack discovered by a team of researchers at the VUSec group from VU Amsterdam.
The researchers also released a tool that uses symbolic execution to identify exploitable code segments within the Linux kernel to help with mitigation.
The new finding underscores the challenges in balancing performance optimization with security, which makes addressing fundamental CPU flaws complicated even six years after the discovery of the original Spectre.
Spectre spooks Linux
Speculative execution is a performance optimization technique where modern processors guess what instructions will be executed next and start implementing them before they know they are needed. As modern processors are extremely powerful, they can predict multiple paths a program may take and execute them simultaneously.
If one of the guesses is correct, there is an increase in application performance. If the guesses are wrong, the CPU throws away the previous work and proceeds as usual without changing performance.
However, while this feature improves performance, it also introduces security risks by leaving traces of privileged data in CPU caches, which attackers can potentially access.
This data can include account passwords, encryption keys, sensitive personal or corporate information, software code, and more.
Two attack methods are Branch Target Injection (BTI), which involves manipulating the CPU’s branch prediction to execute unauthorized code paths, and Branch History Injection (BHI), which manipulates branch history to cause speculative execution of chosen gadgets (code paths), leading to data leakage.
Intel has already assigned CVE-2022-0001 and CVE-2022-0002 to BTI and BHI, respectively, while CVE-2024-2201 involves a new Spectre v2 exploit that works against the Linux kernel.
As the CERT Coordination Center (CERT/CC) disclosed yesterday, the new flaw, tracked as CVE-2024-2201, allows unauthenticated attackers to read arbitrary memory data by leveraging speculative execution, bypassing present security mechanisms designed to isolate privilege levels.
“An unauthenticated attacker can exploit this vulnerability to leak privileged memory from the CPU by speculatively jumping to a chosen gadget,” reads the CERT/CC announcement.
“Current research shows that existing mitigation techniques of disabling privileged eBPF and enabling (Fine)IBT are insufficient in stopping BHI exploitation against the kernel/hypervisor.”
An exploit demonstrating the new Spectre V2 flaw can be seen in the video below.
Current mitigations are designed around isolating exploitable gadgets to remove the attack surface. However, the VUSec researchers, through their custom ‘InSpectre Gadget‘ analysis tool, demonstrated that exploitable gadgets in the Linux kernel remain.
- Illumos – Planning to add BHI mitigations this week.
- Linux Foundation – Issue to be handled by the standard hardware vulnerability procedure followed by the Linux kernel development team.
- Red Hat – Unprivileged eBPF is disabled by default on RHEL, so the issue isn’t exploitable in standard configurations.
- SUSE Linux – Confirmed impact.
- Triton Data Center – Recommended updating to SmartOS 20240418.
- Xen – CERT/CC independently verified impact.
Intel has also updated its mitigation recommendations for Spectre v2 and now proposes disabling unprivileged Extended Berkeley Packet Filter (eBPF) functionality, enabling Enhanced Indirect Branch Restricted Speculation (eIBRS), and enabling Supervisor Mode Execution Protection (SMEP).
Moreover, Intel recommends adding LFENCE (Load Fence) instructions to specific locations in the code to serve as serialization points and implementing software sequences that clear the Branch History Buffer (BHB) for transitions between different security domains.
The hardware vendor has indicated that future processors will include mitigations for BHI and potentially other speculative execution vulnerabilities.
For a complete list of impacted Intel processors to the various speculative execution side-channel flaws, check this page updated by the vendor.