New Linux Flaws Could Allow Attackers to Circumvent Spectre Mitigations
Yesterday (Monday, the 29th of March), cybersecurity researchers at Symantec’s Threat Hunter team reported in a statement the discovery of two new Linux vulnerabilities that could be exploited to allow potential attackers to circumvent the system’s mitigations for attacks such as Meltdown or Spectre and extract data from the kernel memory.
Piotr Krysiuk, a member of Symantec’s Threat Hunter team, was the first one to discover the two flaws, which have been labelled as CVE-2020-27170 and CVE-2020-27171. It is said that those flaws affect all Linux kernels that come before the 5.11.8 patch. Thus far, security patches to fix the vulnerabilities have been released for Debian, Ubuntu, and Red Hat, and users are advised to install them.
More specifically, the CVE-2020-27170 flaw can be exploited to give potential attackers access to content in any kernel memory location, whereas the CVE-2020-27171 can be abused to extract data from s specific 4GB kernel memory range.
Back in 2018, it was discovered that Spectre and Meltdown attacks could exploit vulns in modern CPUs and leak data that is being processed at the moment, and thus allow the attackers to circumvent the hardware-enforced boundaries between programs and acquire cryptographic keys.
Despite attempts at implementing precautionary measures made by browser developers that seek to keep the browser and system safe from timing attacks through reduction of the time-measuring functions’ precision, such measures do not solve the underlying problem.
The flaws that Symantec’s team has discovered seek to circumvent the Linux attack mitigations by exploiting Berkeley Packet Filters (eBPF) kernels support in order to extract data from the kernel memory.
According to the researchers at Symantec, BPF programs on systems that are affected by the flaw could circumvent Linux Spectre mitigations and execute out-of-bounds speculation without being restricted by lack of privileges. A specific kernel that was found to execute out-of-bounds loads is “kernel/bpf/verifier.c”
The practical application of exploiting these flaws could be to allow unprivileged users (attackers) to acquire access to restricted data that belongs to other users on the same machine that has the vulnerability.
Another possible way in which this flaw could be exploited in practice is if an attacker has already managed to gain remote access to a vulnerable Linux machine via malware downloaded by the user. In this case, the attacker could exploit the vulnerability to “break into” a profile with Administrative privileges and thus obtain full control over the system.