New Bugs Could Let Hackers Bypass Spectre Attack Mitigations on Linux Systems

Cybersecurity researchers on 29th March 2021 disclosed two new vulnerabilities in Linux-based operating systems that, if successfully exploited, could let attackers circumvent mitigations for speculative attacks such as Spectre and obtain sensitive information from kernel memory. It impacts all Linux kernels prior to 5.11.8.

Affected CVE —CVE-2020-27170 and CVE-2020-27171 (CVSS scores: 5.5)

How the exploitation works?

  • While CVE-2020-27170 can be abused to reveal content from any location within the kernel memory, CVE-2020-27171 can be used to retrieve data from a 4GB range of kernel memory.
  • Spectre and Meltdown take advantage of flaws in modern processors to leak data that are currently processed on the computer, thereby allowing a bad actor to bypass boundaries enforced by the hardware between two programs to get hold of cryptographic keys.
  • The two side-channel attacks permit malicious code to read memory that they would typically not have permission to.
  • The attacks could also be launched remotely via rogue websites running malicious JavaScript code.
  • Isolation countermeasures have been devised and browser vendors have incorporated defenses to offer protection against timing attacks by reducing the precision of time-measuring functions, the mitigations have been at an operating system level rather than a solution for the underlying issue.
  • The new vulnerabilities uncovered by Symantec aim to get around these mitigations in Linux by taking advantage of the kernel's support for extended Berkeley Packet Filters (eBPF) to extract the contents of the kernel memory.
  • Unprivileged BPF programs running on affected systems could bypass the Spectre mitigations and execute speculatively out-of-bounds loads with no restrictions. This could then be abused to reveal contents of the memory via side-channels.
  • Specifically, the kernel ("kernel/bpf/verifier.c") was found to perform undesirable out-of-bounds speculation on pointer arithmetic, thus defeating fixes for Spectre and opening the door for side-channel attacks.
  • In a real-world scenario, unprivileged users could leverage these weaknesses to gain access to secrets from other users sharing the same vulnerable machine.
  • The bugs could also potentially be exploited if a malicious actor was able to gain access to an exploitable machine via a prior step — such as downloading malware onto the machine to achieve remote access — this could then allow them to exploit these vulnerabilities to gain access to all user profiles on the machine.
  • News of the two flaws arrived after weeks when Google published a proof-of-concept (PoC) code written in JavaScript to demonstrate Spectre in a web browser and leak data at a speed of 1 kilobyte per second (kB/s) when running on Chrome 88 on an Intel Skylake CPU.

Systems Affected:

  • Desktop, Laptop, and Cloud computers may be affected by Meltdown.
  • Every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995 (except Intel Itanium and Intel Atom before 2013). Currently, it has been verified Meltdown on Intel processors.
  • Now, it is unclear whether AMD processors are also affected by Meltdown. 

Remediation:

  • There are patches against Meltdown for Linux, Windows, and OS X.
  • Patches for the security issues were released on March 20, with Ubuntu, Debian, and Red Hat deploying fixes for the vulnerabilities in their respective Linux distributions.
  • OS and browser updates only partially mitigate Meltdown and Spectre. Organizations need to be prepared for UEFI firmware and BIOS updates, as well.
  • When and whether updates will be pushed out will vary from vendor to vendor, adding another layer of complexity and uncertainty to patching. In some cases, admins may have to proactively check for updates from their PC makers periodically over the next few days or weeks.