search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Linux kernel on Intel systems is susceptible to Spectre v2 attacks

Vulnerability Note VU#155143

Original Release Date: 2024-04-09 | Last Revised: 2024-10-02

Overview

A new cross-privilege Spectre v2 vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v2 branch history injection (BHI) are likely affected. An unauthenticated attacker can exploit this vulnerability to leak privileged memory from the CPU by speculatively jumping to a chosen gadget. Current research shows that existing mitigation techniques of disabling privileged eBPF and enabling (Fine)IBT are insufficient in stopping BHI exploitation against the kernel/hypervisor.

Description

Speculative execution is an optimization technique in which a computer system performs some task preemptively to improve performance and provide additional concurrency as and when extra resources are available. However, these speculative executions leave traces of memory accesses or computations in the CPU’s cache, buffer, and branch predictors. Attackers can take advantage of these and, in some cases, also influence speculative execution paths via malicious software to infer privileged data that is part of a distinct execution. See article Spectre Side Channels for more information. Attackers exploiting Spectre v2 take advantage of the speculative execution of indirect branch predictors, which are steered to gadget code by poisoning the branch target buffer of a CPU used for predicting indirect branch addresses, leaking arbitrary kernel memory and bypassing all currently deployed mitigations.

Current mitigations rely on the unavailability of exploitable gadgets to eliminate the attack surface. However, researchers demonstrated that with the use of their gadget analysis tool, InSpectre Gadget, they can uncover new, exploitable gadgets in the Linux kernel and that those are sufficient at bypassing deployed Intel mitigations.

Impact

An attacker with access to CPU resources may be able to read arbitrary privileged data or system registry values by speculatively jumping to a chosen gadget.

Solution

Please update your software according to the recommendations from respective vendors with the latest mitigations available to address this vulnerability and its variants.

Acknowledgements

Thanks to Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida from the VUSec group at VU Amsterdam for discovering and reporting this vulnerability, as well as supporting coordinated disclosure. This document was written by Dr. Elke Drennan, CISSP.

Vendor Information

155143
 

Apple Affected

Notified:  2023-11-17 Updated: 2024-04-16

Statement Date:   April 11, 2024

CVE-2022-0001 Not Affected
CVE-2024-2201 Affected

Vendor Statement

We'd like to thank the researchers for their work. It helps improve our understanding of these types of vulnerabilities. Our engineering teams conducted a thorough review and determined that Apple silicon based systems are not vulnerable to this type of attack. While Intel based Macs may be susceptible in theory, we are not aware of any proof-of-concept that demonstrates actual exploitability on the platform. We will continue to monitor research in this area, and will work to protect our customers if anything changes.

Illumos Affected

Notified:  2023-12-12 Updated: 2024-08-06

Statement Date:   August 05, 2024

CVE-2022-0001 Unknown
CVE-2024-2201 Affected

Vendor Statement

BHI mitigations will be added as part of illumos#16461, on the week of the disclosure. Further details TBD, including guidance from distros.

Intel Affected

Notified:  2023-11-14 Updated: 2024-04-09

Statement Date:   March 27, 2024

CVE-2022-0001 Unknown
CVE-2024-2201 Affected

Vendor Statement

Intel's previously published BHI technical paper, https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/branch-history-injection.html, cover this report already, especially the hardening section. Additionally we will be publishing updated BHI guidance on April 9, 2024 in response to the new gadget that was found.

Linux Foundation Affected

Notified:  2023-11-22 Updated: 2024-04-09

Statement Date:   November 22, 2023

CVE-2022-0001 Unknown
CVE-2024-2201 Affected

Vendor Statement

This will be handled by the normal hardware-vulnerability process that the Linux kernel developers work with.

If you wish to be part of the process, please contact the documented email address and I will work with you that way. Otherwise, to attempt to do development through this tool is impossible.

Red Hat Affected

Notified:  2023-11-17 Updated: 2024-06-13

Statement Date:   June 11, 2024

CVE-2022-0001 Affected
CVE-2024-2201 Affected

Vendor Statement

The current known mechanisms to exploit this issue rely on unprivileged eBPF functionality. Unprivileged eBPF is disabled by default on Red Hat Enterprise Linux.

SUSE Linux Affected

Notified:  2023-11-17 Updated: 2024-04-09

Statement Date:   November 19, 2023

CVE-2022-0001 Unknown
CVE-2024-2201 Affected

Vendor Statement

SUSE is affected by this problem, and has also been prebriefed by Intel.

Triton Data Center Affected

Notified:  2023-12-12 Updated: 2024-04-09

Statement Date:   March 25, 2024

CVE-2022-0001 Unknown
CVE-2024-2201 Affected

Vendor Statement

Update to SmartOS 20240418. Further details are available on the illumos project statement.

Wind River Affected

Notified:  2023-11-17 Updated: 2024-10-02

Statement Date:   September 25, 2024

CVE-2022-0001 Affected
CVE-2024-2201 Affected

Vendor Statement

Fixes are provided to our customers

Xen Affected

Notified:  2024-01-31 Updated: 2024-04-09

Statement Date:   January 31, 2024

CVE-2022-0001 Unknown
CVE-2024-2201 Affected

Vendor Statement

We have not received a statement from the vendor.

AMD Not Affected

Notified:  2024-01-16 Updated: 2024-04-18

Statement Date:   April 17, 2024

CVE-2022-0001 Not Affected
CVE-2024-2201 Not Affected

Vendor Statement

We have not received a statement from the vendor.

References

ARM Limited Not Affected

Notified:  2024-01-16 Updated: 2024-04-09

Statement Date:   January 19, 2024

CVE-2022-0001 Unknown
CVE-2024-2201 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Amazon Unknown

Notified:  2023-11-17 Updated: 2024-04-09

Statement Date:   November 18, 2023

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Atos SE Unknown

Notified:  2024-04-11 Updated: 2024-04-11

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Canonical Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Citrix Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Debian GNU/Linux Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Dell Unknown

Notified:  2024-01-10 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

FreeBSD Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Green Hills Software Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

HP Inc. Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Joyent Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Linux Kernel Unknown

Notified:  2023-11-14 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Lutomirski Consulting Unknown

Notified:  2023-11-22 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Meta Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Microsoft Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Mozilla Unknown

Notified:  2023-11-22 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

NetBSD Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Oracle Corporation Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ubuntu Unknown

Notified:  2024-01-16 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

VMware Unknown

Notified:  2023-11-17 Updated: 2024-04-09

CVE-2022-0001 Unknown
CVE-2024-2201 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 32 vendors View less vendors


Other Information

CVE IDs: CVE-2022-0001 CVE-2024-2201
API URL: VINCE JSON | CSAF
Date Public: 2024-04-09
Date First Published: 2024-04-09
Date Last Updated: 2024-10-02 17:36 UTC
Document Revision: 7

Sponsored by CISA.