A team of researchers from the Free University of Amsterdam has identified a new vulnerability in the microarchitectural structures of Intel and ARM processors, which is an extended version of the Specter-v2 vulnerability, which allows bypassing the eIBRS and CSV2 protection mechanisms added to processors. The vulnerability has been given several names: BHI (Branch History Injection, CVE-2022-0001), BHB (Branch History Buffer, CVE-2022-0002) and Specter-BHB (CVE-2022-23960), which describe different manifestations of the same problem (BHI - an attack that affects different privilege levels, for example, the user process and the kernel, BHB - an attack at the same privilege level, for example, eBPF JIT and the kernel).
Researchers have demonstrated a working exploit that allows user space to extract arbitrary data from kernel memory. For example, it is shown how, using the prepared exploit, it is possible to extract from the kernel buffers a string with a hash of the root user's password, loaded from the /etc/shadow file. The exploit demonstrates the ability to exploit the vulnerability within a single privilege level (kernel-to-kernel attack) using a user-loaded eBPF program. The possibility of using instead of eBPF the Specter gadgets existing in the kernel code, sequences of commands leading to speculative execution of instructions, is also not ruled out.
The vulnerability appears in most current Intel processors, with the exception of processors of the Atom family. Of the ARM processors, Cortex-A15, Cortex-A57, Cortex-A7*, Cortex-X1, Cortex-X2, Cortex-A710, Neoverse N1, Neoverse N2, Neoverse V1 and possibly some Cortex-R chips are affected. According to research, the vulnerability does not manifest itself in AMD processors. To fix the problem, several software methods have been proposed to block the vulnerability, which can be used before the appearance of hardware protection in future CPU models.
To block attacks through the eBPF subsystem, it is recommended to disable by default the ability to load eBPF programs by unprivileged users by writing 1 to the file "/proc/sys/kernel/unprivileged_bpf_disabled" or by running the command "sysctl -w kernel.unprivileged_bpf_disabled=1". To block attacks through gadgets, it is recommended to use the LFENCE instruction in code sections that potentially lead to speculative execution. It is noteworthy that the default configuration of most Linux distributions already contains the necessary protection measures sufficient to block the eBPF attack demonstrated by the researchers. Intel's recommendations to disable unprivileged access to eBPF are also applied by default starting with the Linux 5.16 kernel and will be backported to earlier branches.
Conceptually, BHI is an extended variant of the Specter-v2 attack, in which to bypass the added protection (Intel eIBRS and Arm CSV2) and organize data leakage, substitution of values into the buffer with a global branch history (Branch History Buffer) is used, which is used in the CPU to improve prediction accuracy branching by taking into account the history of past transitions. In the course of an attack through manipulations with the history of transitions, conditions are created for incorrect prediction of the transition and the speculative execution of the necessary instructions, the result of which settles in the cache.
With the exception of using a Branch History Buffer instead of a Branch Target Buffer, the new attack is identical to Specter-v2. The task of the attacker is to create such conditions that the address, when performing a speculative operation, is taken from the area of the data being determined. After performing a speculative indirect jump, the jump address read from memory remains in the cache, after which one of the methods for determining the contents of the cache can be used to retrieve it based on an analysis of changes in the access time to cached and not cached data.
Source: opennet.ru