Cybersecurity researchers from the Systems and Network Security Group (VUSec) at Vrije Universiteit Amsterdam have unveiled what they describe as the “first native Spectre v2 exploit” against the Linux kernel on Intel systems. This exploit, named Native Branch History Injection (BHI), poses a serious threat by potentially allowing attackers to read sensitive data from system memory.
The Native BHI Exploit Explained
The VUSec researchers detailed in a recent study that the Native BHI exploit can leak arbitrary kernel memory at a rate of 3.5 kB/sec, effectively bypassing existing Spectre v2/BHI mitigations. This vulnerability, tracked as CVE-2024-2201, has been identified to impact all Intel systems susceptible to BHI.
The exploit was initially disclosed by VUSec in March 2022, highlighting a technique that can circumvent Spectre v2 protections on modern processors from Intel, AMD, and Arm. While the attack originally leveraged extended Berkeley Packet Filters (eBPFs), Intel’s response included recommendations to disable Linux’s unprivileged eBPFs as a countermeasure.
Intel’s statement revealed the risk posed by unprivileged eBPFs, stating that they “significantly increase the risk of transient execution attacks, even when defenses against intra-mode [Branch Target Injection] are present.” Despite recommendations to disable unprivileged eBPFs, Native BHI has demonstrated that this countermeasure is ineffective without eBPF.
Why Current Mitigation Strategies Don’t Work
As outlined by the CERT Coordination Center (CERT/CC), current strategies like deactivating privileged eBPF and activating (Fine)IBT are inadequate in thwarting BHI attacks on the kernel and hypervisor. This vulnerability empowers unauthorized attackers with CPU access to manipulate speculative execution paths through malicious software, with the goal of extracting sensitive data linked to diverse processes.
The impact of the Native BHI exploit extends to various platforms, including Illumos, Intel, Red Hat, SUSE Linux, Triton Data Center, and Xen. While AMD has acknowledged the issue, it has stated that it is not currently aware of any impact on its products.
This disclosure follows recent research from ETH Zurich, which revealed a family of attacks known as Ahoi Attacks targeting hardware-based trusted execution environments (TEEs). These attacks, including Heckler and WeSee, utilize malicious interrupts to compromise the integrity of confidential virtual machines (CVMs) like AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and Intel Trust Domain Extensions (TDX).