CVE-2023-1998: Google researchers reveal Spectre v2 SMT mitigations problem in Linux kernel
Spectre v2, a security vulnerability discovered a few years ago, has continued to keep security professionals on their toes. Recently, a new security vulnerability (CVE-2023-1998) in the Linux kernel has come to light, which affects the way the kernel handles Spectre v2 mitigations.
CVE-2023-1998 is a security vulnerability in the Linux kernel that causes Spectre v2 mitigations to fail in some cases. When userspace processes attempt to enable Spectre v2 mitigations via prctl or seccomp, the kernel may still leave the victim process exposed to attacks. This issue has been observed on virtual machines from at least one major cloud provider and bare-metal machines when forcing the mitigation to IBRS during boot.
The root cause of the vulnerability lies in how the kernel handles plain IBRS (Indirect Branch Restricted Speculation) and STIBP (Single Thread Indirect Branch Predictors). When plain IBRS is enabled, the kernel includes logic that determines that STIBP is not necessary. However, with legacy IBRS, the IBRS bit is cleared when returning to userspace due to performance reasons, leaving userspace threads vulnerable to cross-thread branch target injection attacks.
The severity of this vulnerability is considered medium, as it leaves applications open to attack from other processes running on the same physical core in another hyperthread. This could lead to unauthorized access, data leakage, or other potentially damaging consequences.
The bug is present in Kernel version 6.2, which implements an optimization that disables STIBP if the mitigation is IBRS or eIBRS. However, IBRS doesn’t mitigate SMT (Simultaneous Multi-Threading) attacks on userspace as eIBRS does. Setting spectre_v2=ibrs on kernel boot parameters for bare-metal machines without eIBRS support also triggers the bug.
The proof of concept for this vulnerability involves two processes: an attacker and a victim. The attacker continually poisons an indirect call to speculatively redirect it to a target address, while the victim process measures the mispredict rate and tries to mitigate the attack. The victim process attempts to enable Spectre v2 mitigations either by calling PRCTL or by writing to the MSR (Model Specific Register) directly, using a kernel module that exposes MSR read and write operations to userspace.
CVE-2023-1998 is a concerning vulnerability that highlights the ongoing challenges in securing systems against Spectre v2 attacks. As the complexity of systems grows, the importance of vigilance and comprehensive security testing becomes even more crucial. In the meantime, users and administrators are advised to keep their systems up-to-date and follow best security practices to minimize the risk of exploitation.
