Cybersecurity researchers revealed on Monday two new vulnerabilities in Linux-based operating systems that, if successfully exploited, could allow attackers to bypass mitigation for speculative attacks like Specter and gain sensitive information from kernel memory.

Found by Piotr Krysiuk of Symantec’s Threat team, the flaws – traced as CVE-2020-27170 and CVE-2020-27171 (CVSS scores: 5.5) – affect all Linux kernels before 5.11.8. Patches for the security issues were released on March 20, with Ubuntu, Debian, and Red Hat deploying solutions for the vulnerabilities in their respective Linux distributions.

While CVE-2020-27170 can be abused to expose content from any location within kernel memory, CVE-2020-27171 can be used to retrieve data from a 4GB range of kernel memory.

First documented in January 2018, Specter and Meltdown take advantage of flaws in modern processors to dump data currently being processed on the computer, thereby allowing a bad actor to bypass boundaries enforced by the hardware between two programs to access cryptographic keys.

In contrast, both side-channel attacks allow malicious code to read memory that they would not normally be allowed. Even worse, the attacks could be launched remotely through rogue websites that run malicious JavaScript code.

While isolation countermeasures have been devised and browser vendors have incorporated defenses to offer protection against timing attacks by reducing the precision of time measurement functions, the mitigation has been at operating system level rather than a solution for the underlying issue.

The new vulnerabilities revealed by Symantec aim to move around these mitigation measures in Linux by taking advantage of kernel support for extended Berkeley Packet Filters (eBPF) to extract kernel memory content.

“Non-profit BPF programs running on affected systems could bypass Specter mitigation and randomly operate out-of-bounds shipments without any restrictions,” Symantec said. “This could then be abused to expose memory contents via side channels.”

In particular, the kernel (“kernel / bpf / verifier.c”) was found to perform unobtrusive out-of-bounds speculation on pointer arithmetic, defeating solutions for Specter and opening the door for side-channel attacks.

In a real-world scenario, not-for-profit users could leverage these vulnerabilities to access secrets from other users who share the same vulnerability machine.

“The bugs could also be exploited if a malicious actor could access a machine that can be exploited through a previous step – such as downloading malicious software onto the machine to gain remote access – this could then allow them to exploit these vulnerabilities access to all user profiles on the machine, “the researchers said.

News of the two flaws comes weeks after Google announced a proof-of-concept (PoC) code written in JavaScript to display Specter in a web browser and leak data at a speed of 1 kilowatt per second (kB / s) while running on Chrome 88 Intel Skylake CPU.

LEAVE A REPLY

Please enter your comment!
Please enter your name here