Cybersecurity researchers on Monday disclosed two new vulnerabilities in Linux-based operating systems that, if successfully exploited, could let attackers circumvent mitigations for speculative attacks such as Spectre and obtain sensitive information from kernel memory.
Discovered by Piotr Krysiuk of Symantec's Threat Hunter team, the flaws — tracked as CVE-2020-27170 and CVE-2020-27171 (CVSS scores: 5.5) — impact all Linux kernels prior to 5.11.8. Patches for the security issues were released on March 20, with Ubuntu, Debian, and Red Hat deploying fixes for the vulnerabilities in their respective Linux distributions.
While CVE-2020-27170 can be abused to reveal content from any location within the kernel memory, CVE-2020-27171 can be used to retrieve data from a 4GB range of kernel memory.
First documented in January 2018, Spectre and Meltdown take advantage of flaws in modern processors to leak data that are currently processed on the computer, thereby allowing a bad actor to bypass boundaries enforced by the hardware between two programs to get hold of cryptographic keys.
Put differently, the two side-channel attacks permit malicious code to read memory that they would typically not have permission to. Even worse, the attacks could also be launched remotely via rogue websites running malicious JavaScript code.
Although isolation countermeasures have been devised and browser vendors have incorporated defenses to offer protection against timing attacks by reducing the precision of time-measuring functions, the mitigations have been at an operating system level rather than a solution for the underlying issue.
The new vulnerabilities uncovered by Symantec aim to get around these mitigations in Linux by taking advantage of the kernel's support for extended Berkeley Packet Filters (eBPF) to extract the contents of the kernel memory.
"Unprivileged BPF programs running on affected systems could bypass the Spectre mitigations and execute speculatively out-of-bounds loads with no restrictions," Symantec said. "This could then be abused to reveal contents of the memory via side-channels."
Specifically, the kernel ("kernel/bpf/verifier.c") was found to perform undesirable out-of-bounds speculation on pointer arithmetic, thus defeating fixes for Spectre and opening the door for side-channel attacks.
In a real-world scenario, unprivileged users could leverage these weaknesses to gain access to secrets from other users sharing the same vulnerable machine.
"The bugs could also potentially be exploited if a malicious actor was able to gain access to an exploitable machine via a prior step — such as downloading malware onto the machine to achieve remote access — this could then allow them to exploit these vulnerabilities to gain access to all user profiles on the machine," the researchers said.
News of the two flaws come weeks after Google published a proof-of-concept (PoC) code written in JavaScript to demonstrate Spectre in a web browser and leak data at a speed of 1 kilobyte per second (kB/s) when running on Chrome 88 on an Intel Skylake CPU.