BHI
Branch History Injection Microarchitectural flaws [CVE-2022-0001 (Intel), CVE-2022-0002 (Intel), CVE-2022-23960 (ARM)]
It was discovered that certain processor internals can be manipulated by unprivileged user processes such that indirect calls in kernel space speculatively execute 'gadgets' that will disclose private information.
So far, such attacks have only been demonstrated to be feasible with eBPF, such that Intel recommends disabling unprivileged eBPF and keep running with eIBRS. There is no need to reboot in order to disable unprivileged eBPF; re-enabling eBPF will require a reboot for 5.11 kernels and earlier.
Processors that use retpoline by default (because they do not support eIBRS) have not been shown to be vulnerable to this attack.
As other potential attacks may be possible in the future, the use of retpoline is one of the possible mitigations. However, its use alone on some processors that supported eIBRS is not recommended because those processors may use other predictors when the RSB is empty. So, a patch has been added that allows users to use eIBRS + retpoline, by booting with the command line option spectre_v2=eibrs+retpoline. As retpoline has a performance impact, this was not made the default, so users who are concerned about potential attacks should reboot with this option.
Setting kernel command line options can be performed by editing /etc/default/grub, setting GRUB_CMDLINE_LINUX_DEFAULT as appropriate, and running update-grub afterwards.
Ubuntu is releasing updated kernels that disable unprivileged eBPF by default to address these and other security issues. Admins can re-enable if needed it via:
$ sudo sysctl kernel.unprivileged_bpf_disabled=0
Admins can disable unprivileged eBPF until the next boot via:
$ sudo sysctl kernel.unprivileged_bpf_disabled=1
Admins can disable it, but allow it to be re-enabled by an admin without rebooting, via:
$ sudo sysctl kernel.unprivileged_bpf_disabled=2
To see the current status of unprivileged eBPF, do:
$ sysctl kernel.unprivileged_bpf_disabled
A result value of 1 or 2 indicates that unprivileged eBPF is disabled. When unprivileged eBPF is disabled, a process must have CAP_SYS_ADMIN (on Ubuntu 5.4.x and older kernels) or at least one of CAP_SYS_ADMIN and CAP_BPF (on Ubuntu 5.15.x and newer kernels) capability in order to call the bpf(2) systemcall.
Unprivileged eBPF has been disabled by default, but could be re-enabled by an admin via sysctl, in Ubuntu since the introduction of 5.13 and newer kernels in Ubuntu 21.10 and Ubuntu 20.04.4 LTS hardware enablement (HWE) kernels. Support for disabling unprivileged eBPF with the possibility of re-enabling without a reboot has been backported to the 5.4, 4.15, and 4.4 kernels as well as made the default setting as of 2022-03-08.
References
- VUSec advisory with link to research paper:
- Intel advisory:
- Intel guidance
- Intel blog post:
- ARM advisory:
- ARM whitepaper (linked from advisory):
- ARM knowledge base article:
Linux kernel unprivileged_bpf_disabled sysctl configuration documentation:
Linux kernel spectre_v2 boot paramater documentation:
Updates
Ubuntu users are recommended to update to the latest kernel. The majority of users should ensure that the following kernel packages are installed:
Ubuntu Release |
Base Kernel |
Hardware Enablement (HWE) Kernel |
21.10 |
N/A |
|
20.04 LTS |
||
18.04 LTS |
||
16.04 ESM |
linux-image-4.4.0-221-generic 4.4.0-221.254 |
linux-image-4.15.0-171-generic 4.15.0-171.180~16.04.1 |
14.04 ESM |
Not affected - 3.13 kernel does not support unprivileged eBPF |
linux-image-4.4.0-221-generic 4.4.0-221.254~14.04.1 |
Kernels derived from the above (e.g. cloud specific kernels) are also receiving the corresponding updates.
Timeline
- 2022 Mar 08: VUsec makes their findings public
- 2022 Mar 08: Ubuntu publishes the following USNs:
USN 5317-1 for 5.13 and 5.14 based kernels / Ubuntu 20.04, Ubuntu 21.10
USN 5318-1 for 5.4 based kernels / Ubuntu 20.04 LTS, Ubuntu 18.04 LTS
USN 5319-1 for 4.15 and 4.4 based kernels / Ubuntu 18.04 LTS, Ubuntu 16.04 ESM, Ubuntu 14.04 ESM
- 2022 Mar 09: Updated Ubuntu cloud images became available
Public Cloud Image updates
- Amazon AWS: 20220308 or newer
- Windows Azure: 20220308 or newer
- Google Compute Engine: 20220308 or newer
- Ubuntu Core Images: 20220308 or newer
Cloud Images dailies will start appearing within 4 hours of the USN announcement. At the direction of the security team, the Cloud Image Team will start manually releasing new images to the public cloud.
SecurityTeam/KnowledgeBase/BHI (last edited 2023-06-09 00:48:59 by seth-arnold)