CVE-2023-1998 - Linux Kernel Bypasses Spectre-BTI Mitigation Leaving Processes Vulnerable to Attack

A newly discovered vulnerability in the Linux kernel (CVE-2023-1998) allows userspace processes to be exposed to attacks even after enabling the Spectre-BTI (Branch Target Injection) mitigation. This is due to the kernel inadvertently bypassing certain mitigations, including the prctl and seccomp calls, in certain cases.

About the Vulnerability

In the Linux kernel, userspace processes can enable mitigations against speculative execution vulnerabilities by using either the prctl call with the PR_SET_SPECULATION_CTRL argument or by implementing seccomp. These mitigations help protect against attacks like Spectre and Meltdown.

However, we noticed that on VMs of at least one major cloud provider, the kernel still left victim processes exposed to attacks in some cases, even after enabling the Spectre-BTI mitigation with prctl. The same behavior can also be observed on a bare-metal machine when forcing the mitigation to Indirect Branch Restricted Speculation (IBRS) on the boot command line.

The root cause of this vulnerability is a flaw in the kernel's logic that determines whether Single Thread Indirect Branch Predictors (STIBP) is needed when IBRS is enabled. When regular IBRS is enabled (not Enhanced IBRS), the kernel assumes that STIBP is unnecessary, as the IBRS bit implicitly offers protection against branch target injection between threads. However, with legacy IBRS, the IBRS bit is cleared when returning to userspace for performance reasons. This results in the implicit STIBP protection being disabled and leaving userspace threads vulnerable to cross-thread branch target injection attacks, which STIBP is designed to protect against.

Here is a code snippet for enabling the Spectre-BTI mitigation using the prctl call

#include <sys/prctl.h>
#include <linux/prctl.h>

int main() {
    if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, , , ) == -1) {
        perror("prctl");
        return 1;
    }

    // Your code here
    return ;
}

Exploit Details

This vulnerability is registered as CVE-2023-1998. An exploit for this vulnerability would primarily target cloud platforms and bare-metal machines running on Linux kernels with Speculative Store Bypass mitigations enabled but not properly secured, leaving the victim processes wide open to attack. Successful exploitation would allow an attacker to potentially execute arbitrary code, leak sensitive information, and bypass existing in-place defenses.

Original References

* Linux Kernel Mailing List post detailing the issue: https://lore.kernel.org/linux-kernel/20190428234213.shtml
* More information about prctl and PR_SET_SPECULATION_CTRL: https://man7.org/linux/man-pages/man2/prctl.2.html
* Documentation about seccomp: https://www.kernel.org/doc/Documentation/userspace-api/seccomp_filter.rst
* CVE-2023-1998 entry in the CVE database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1998

Conclusion

CVE-2023-1998 is a significant vulnerability in the Linux kernel that could expose userspace processes to attacks, despite enabling the Spectre-BTI mitigation. It's important for cloud providers and Linux kernel maintainers to address this issue swiftly in order to protect users from potential exploitation. Linux distribution providers and system administrators should also ensure they are using the latest kernel version with proper fixes in place to protect their systems.

Timeline

Published on: 04/21/2023 15:15:00 UTC
Last modified on: 05/03/2023 15:16:00 UTC