Researchers Uncover First Native Spectre v2 Exploit Against Linux Kernel

Cyber Attack

Researchers from the Systems and Network Security Group (VUSec) at Vrije Universiteit Amsterdam have disclosed what they claim to be the inaugural native Spectre v2 exploit targeting the Linux kernel on Intel systems, potentially allowing attackers to access sensitive data stored in memory.

Named Native Branch History Injection (BHI), this exploit can leak arbitrary kernel memory at a rate of 3.5 kB/sec by circumventing existing Spectre v2/BHI mitigations, as outlined in a recent study by VUSec.

The vulnerability, tracked as CVE-2024-2201, was initially introduced by VUSec in March 2022, defining it as a technique capable of bypassing Spectre v2 protections on modern processors from Intel, AMD, and Arm.

Despite Intel's previous recommendations to mitigate this issue, including the disabling of Linux's unprivileged extended Berkeley Packet Filters (eBPF), the Native BHI exploit demonstrates that BHI attacks can occur without relying on eBPF. This vulnerability affects all susceptible Intel systems vulnerable to BHI.

Consequently, this exploit empowers attackers with CPU access to manipulate speculative execution paths through malicious software, aiming to extract sensitive data associated with other processes.

According to the CERT Coordination Center (CERT/CC), existing mitigation strategies such as disabling privileged eBPF and enabling (Fine)IBT are inadequate in preventing BHI exploitation against the kernel or hypervisor.

InSpectre Gadget, a program used to locate exploitable code fragments within the operating system kernel, enables attackers to circumvent built-in Intel microprocessor safeguards like FineIBT, allowing for speculative execution exploitation and data extraction.

Gadgets, in this context, refer to code sequences whose speculative execution reveals victims' sensitive data through a covert channel.

The vulnerability impacts Illumos, Intel, Red Hat, SUSE Linux, Triton Data Center, and Xen. However, AMD has indicated that its products remain unaffected.

This disclosure follows recent cybersecurity revelations, including GhostRace (CVE-2024-2193) by IBM and VUSec, a Spectre v1 variant leveraging speculative execution and race conditions to extract data from contemporary CPU architectures.

Additional research from ETH Zurich uncovered Ahoi Attacks, a family of exploits that compromise hardware-based trusted execution environments (TEEs) and confidential virtual machines (CVMs) like AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and Intel Trust Domain Extensions (TDX).

Heckler and WeSee, part of the Ahoi Attacks, utilize malicious interrupts to breach the integrity of CVMs, enabling threat actors to gain elevated access, execute arbitrary code, and disable firewall rules.

In response to these findings, AMD has addressed issues in the Linux kernel implementation of SEV-SNP, with fixes incorporated into the main Linux kernel codebase.