On Monday, March 29th, security researchers uncovered two vulnerabilities in Linux distributions that help to bypass protection from speculative attacks like Specter and extract sensitive information from kernel memory.
Vulnerabilities CVE-2020-27170 and CVE-2020-27171 (5.5 out of 10 on the CVSS severity scale) were discovered by Symantec Threat Hunter Pyotr Krysiuk and affect all versions of the Linux kernel prior to 5.11.8. Fixes for Ubuntu, Debian and Red Hat were released on March 20, 2021.
CVE-2020-27170 can be used to retrieve content from anywhere in kernel memory, while CVE-2020-27171 can retrieve data from kernel memory in the 4GB range.
The Specter and Meltdown vulnerabilities, documented in January 2018, exploit the flaws of modern processors for leaking data processed on the computer, thereby allowing an attacker to bypass the hardware boundaries between applications. In other words, two side-channel attacks allowed malicious code to read memory, which it usually does not have permission to do.
Despite the implementation of security measures and the addition of special means of protection against time attacks by reducing the accuracy of the timing functions, all these measures were taken at the operating system level and did not solve the main problem.
Vulnerabilities discovered by Krysiuk allow bypassing these measures in Linux by using kernel support for Berkeley Packet Filters (eBPF) extensions to retrieve kernel memory contents.
Specifically, the kernel (kernel / bpf / verifier.c) has been found to perform unwanted speculation on out-of-bounds pointer arithmetic, thereby eliminating Specter fixes and making the system vulnerable to side-channel attacks.
In a real-world scenario, unprivileged users could exploit these vulnerabilities to gain access to sensitive data from other users on the same vulnerable computer.
Vulnerabilities can also be exploited if an attacker can first gain access to an attacked system, for example, by downloading malware to it for remote access. In this case, the attacker can gain access to all user profiles on the system.
Recall also that I wrote that Google experts published PoC exploit for Specter that is targeting browsers.