Piotr Krysiuk, a researcher on Symantec’s Threat Hunter team, discovered that two new vulnerabilities have been patched in the Linux kernel which, if exploited, could bypass existing mitigations for the Spectre vulnerabilities.
Affecting all Linux machines
The first vulnerability in question, numbered CVE-2020-27170, can reveal contents from any location within the kernel memory of an affected computer. Unprivileged BPF programs running on affected systems could bypass the Spectre mitigations and execute speculatively out-of-bounds loads with no restrictions.
The second vulnerability, numbered CVE-2020-27171, can reveal contents from the 4 GB range of kernel memory. A numeric error in the Spectre mitigations when protecting pointer arithmetic against out-of-bounds speculations caused this bug. Both of them affect all Linux machines. However, it is important to say that it would be particularly impactful on shared resources, as it would allow one malicious user to access data belonging to other users.
If left unpatched, the vulnerabilities mean that existing Spectre protections will not be sufficient to prevent some exploitation techniques. Linux team published the patches for these bugs on March 17, 2021, and 3 days later with the new patch release, Linux kernels have been fixed.
What are Meltdown and Spectre?
Spectre and Meltdown are the flaws that have been discovered in January 2018. Both of them are chip vulnerabilities. Spectre works by observing side effects left by speculative execution. Variants of Spectre affect virtually all modern processors, including chips from Intel, ARM, and AMD.
Meltdown is a flaw in processors that bypass memory isolation in the operating system. It allows the stealing of information from memory being used by other applications or users.
“A successful exploit of the vulnerabilities could allow attackers to gain unauthorized access to a computer’s memory, including sensitive information, such as passwords. However, the vulnerabilities were only exploitable if the attacker already had access to the machines – if they were a local user or had gained access with an additional step, such as deploying a remote access Trojan (RAT) on the machine,”
wrote Symantec in a blog post.
Mitigation
The patches for these bugs were first published on March 17, 2021, and covers Stable 5.11.8 (released March 20, 2021), Longterm 5.10.25 (released March 20, 2021), Longterm 5.4.107 (released March 20, 2021), Longterm 4.19.182 (released March 20, 2021), Longterm 4.14.227 (released March 24, 2021).
You can find more information about the patches at the links below:
Debian
- https://salsa.debian.org/kernel-team/linux/-/commit/6f9d6c3b36aa0eaebcc6a4d9867002fbe7f3385f
- https://salsa.debian.org/kernel-team/linux/-/commit/32ecff90fdb4be6326facc957e15ab7a6b673642
Version 10.9 (released on March 27, 2021)
- https://salsa.debian.org/kernel-team/linux/-/commit/86d793b5ca9d2a7cf0da165c3ce84d26ea9d383d
- https://salsa.debian.org/kernel-team/linux/-/commit/1cb70f1dd40da6c3280b64c27804a065b39150f2
Ubuntu
Red Hat
- https://access.redhat.com/security/cve/cve-2020-27170
- https://access.redhat.com/security/cve/cve-2020-27171
Bugzilla