Description Preview
A vulnerability in the Linux kernel's implementation of Spectre-BTI mitigations was discovered where userspace processes remained vulnerable to cross-thread branch target injection attacks even after explicitly enabling protections. When using plain IBRS (Indirect Branch Restricted Speculation) rather than enhanced IBRS, the kernel incorrectly determined that STIBP (Single Thread Indirect Branch Predictors) was not needed. The IBRS bit was cleared when returning to userspace for performance reasons, which disabled the implicit STIBP protection and left userspace threads vulnerable to cross-thread branch target injection attacks. This issue was observed in virtual machines from at least one major cloud provider and on bare-metal machines when forcing IBRS mitigation via boot command line.
Overview
This vulnerability (CVE-2023-1998) represents a failure in the Linux kernel's Spectre variant 2 (Branch Target Injection) mitigations. The issue occurs specifically when plain IBRS is used rather than enhanced IBRS. Users who believed they were protected against Spectre-BTI attacks by calling prctl with PR_SET_SPECULATION_CTRL or using seccomp remained vulnerable to cross-thread branch target injection attacks. This is classified as CWE-203 (Information Exposure Through Discrepancy), as the system behavior differed from what users expected, potentially exposing sensitive information. The vulnerability affects systems where the IBRS bit is cleared upon returning to userspace, leaving the implicit STIBP protection disabled and creating a security gap where attackers could potentially perform branch target injection attacks across threads.
Remediation
To remediate this vulnerability:
- Update the Linux kernel to a version containing the fix (commit 6921ed9049bc7457f66c1596c5b78aec0dae4a9d)
- If running Debian systems, apply the security updates mentioned in the Debian LTS announcements
- If using a cloud provider, ensure your virtual machines are running on updated host systems
- Consider using enhanced IBRS where available instead of plain IBRS
- Verify that Spectre mitigations are properly enabled and functioning after updates by checking the status of the mitigations using tools like spectre-meltdown-checker or examining /sys/devices/system/cpu/vulnerabilities/
References
- GitHub Security Advisory: https://github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx
- Linux Kernel Patch: https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d
- Kernel Patch Visualization: https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d
- Debian LTS Security Announcement: https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html
- Additional Debian LTS Security Announcement: https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- ManufacturingManufacturing
- Health Care & Social AssistanceHealth Care & Social Assistance
- Public AdministrationPublic Administration
- Finance and InsuranceFinance and Insurance
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Transportation & WarehousingTransportation & Warehousing
- Educational ServicesEducational Services
- Retail TradeRetail Trade
- Other Services (except Public Administration)Other Services (except Public Administration)
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- InformationInformation
- UtilitiesUtilities
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Wholesale TradeWholesale Trade
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- ConstructionConstruction
- MiningMining
