Cybersecurity researchers revealed on Monday two new vulnerabilities in Linux-based operating systems that, if successfully exploited, could allow attackers to bypass mitigation for speculative attacks like Specter and gain sensitive information from kernel memory.
Found by Piotr Krysiuk of Symantec’s Threat team, the flaws – traced as CVE-2020-27170 and CVE-2020-27171 (CVSS scores: 5.5) – affect all Linux kernels before 5.11.8. Patches for the security issues were released on March 20, with Ubuntu, Debian, and Red Hat deploying solutions for the vulnerabilities in their respective Linux distributions.
While CVE-2020-27170 can be abused to expose content from any location within kernel memory, CVE-2020-27171 can be used to retrieve data from a 4GB range of kernel memory.
First documented in January 2018, Specter and Meltdown take advantage of flaws in modern processors to dump data currently being processed on the computer, thereby allowing a bad actor to bypass boundaries enforced by the hardware between two programs to access cryptographic keys.
While isolation countermeasures have been devised and browser vendors have incorporated defenses to offer protection against timing attacks by reducing the precision of time measurement functions, the mitigation has been at operating system level rather than a solution for the underlying issue.
The new vulnerabilities revealed by Symantec aim to move around these mitigation measures in Linux by taking advantage of kernel support for extended Berkeley Packet Filters (eBPF) to extract kernel memory content.
“Non-profit BPF programs running on affected systems could bypass Specter mitigation and randomly operate out-of-bounds shipments without any restrictions,” Symantec said. “This could then be abused to expose memory contents via side channels.”
In particular, the kernel (“kernel / bpf / verifier.c”) was found to perform unobtrusive out-of-bounds speculation on pointer arithmetic, defeating solutions for Specter and opening the door for side-channel attacks.
In a real-world scenario, not-for-profit users could leverage these vulnerabilities to access secrets from other users who share the same vulnerability machine.
“The bugs could also be exploited if a malicious actor could access a machine that can be exploited through a previous step – such as downloading malicious software onto the machine to gain remote access – this could then allow them to exploit these vulnerabilities access to all user profiles on the machine, “the researchers said.