CVE-2023-0045 flaw allows hackers bypass Spectre-BTI user space mitigations on Linux
Researchers have disclosed a new technique that could be used to circumvent existing hardware mitigations in modern processors from Intel, AMD, and Arm in Linux-based operating systems and stage speculative execution attacks such as Spectre-BTI.
Linux Kernel could allow a remote attacker to execute arbitrary code on the system, caused by the failure to mitigate SMT attacks. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Discovered by two security researchers Esoj (@_esoj1) and Rodrigo Branco (@bsdaemon), the security vulnerability, tracked as CVE-2023-0045, impacts all Linux kernels without the installed patch. A patch for the security issue was released on January 12.
“The Linux kernel does not correctly mitigate SMT attacks, as discovered through a strange pattern in the kernel API using STIBP as a mitigation, leaving the process exposed for a short period of time after a syscall. The kernel also does not issue an IBPB immediately during the syscall,” the researchers wrote on the security advisories.
“The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update , but the IBPB is only issued on the next schedule, when the TIF bits are checked. This leaves the victim vulnerable to values already injected on the BTB, prior to the prctl syscall.”
Attacks like Spectre are designed to break the isolation between different applications by taking advantage of an optimization technique called speculative execution in CPU hardware implementations to trick programs into accessing arbitrary locations in memory and thus leak their secrets. Spectre-BTI (Branch Target Injection) attack allows a local authenticated attacker to obtain sensitive information, caused by a branch target injection in the CPU speculative branch instruction execution feature. By conducting targeted cache side-channel attacks, an attacker could exploit this vulnerability to leak memory contents into a CPU cache and read host kernel memory.
The CVE-2023-0045 flaw uncovered by the researchers aims to bypass for user-mode applications that are mitigated by the kernel API by executing “a safe_function through a function pointer that is vulnerable to a spectre-BTI attack. The victim requests the kernel for protecting using the prctl syscall (inside protect_me). The victim also loads a secret from a text file, showing that other syscalls also dont check the TIF bit or provoke a reschedule that would force a IBPB.”
Researchers published a proof-of-concept (PoC) code written in C to demonstrate bypassing Spectre attack mitigations on Ubuntu 22.04.1 LTS.