{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/155143#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nA new cross-privilege Spectre v2 vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v2 branch history injection (BHI) are likely affected. An unauthenticated attacker can exploit this vulnerability to leak privileged memory from the CPU by speculatively jumping to a chosen gadget. Current research shows that existing mitigation techniques of disabling privileged eBPF and enabling (Fine)IBT are insufficient in stopping BHI exploitation against the kernel/hypervisor.\r\n\r\n### Description\r\nSpeculative execution is an optimization technique in which a computer system performs some task preemptively to improve performance and provide additional concurrency as and when extra resources are available. However, these speculative executions leave traces of memory accesses or computations in the CPU’s cache, buffer, and branch predictors. Attackers can take advantage of these and, in some cases, also influence speculative execution paths via malicious software to infer privileged data that is part of a distinct execution. See article [Spectre Side Channels](https://docs.kernel.org/admin-guide/hw-vuln/spectre.html) for more information. Attackers exploiting Spectre v2 take advantage of the speculative execution of indirect branch predictors, which are steered to gadget code by poisoning the branch target buffer of a CPU used for predicting indirect branch addresses, leaking arbitrary kernel memory and bypassing all currently deployed mitigations. \r\n\r\nCurrent mitigations rely on the unavailability of exploitable gadgets to eliminate the attack surface. However, researchers demonstrated that with the use of their gadget analysis tool, InSpectre Gadget, they can uncover new, exploitable gadgets in the Linux kernel and that those are sufficient at bypassing deployed Intel mitigations.\r\n\r\n### Impact\r\nAn attacker with access to CPU resources may be able to read arbitrary privileged data or system registry values by speculatively jumping to a chosen gadget.\r\n\r\n### Solution\r\nPlease update your software according to the recommendations from respective vendors with the latest mitigations available to address this vulnerability and its variants.\r\n\r\n### Acknowledgements\r\nThanks to Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida from the VUSec group at VU Amsterdam for discovering and reporting this vulnerability, as well as supporting coordinated disclosure. This document was written by Dr. Elke Drennan, CISSP.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"This will be handled by the normal hardware-vulnerability process that the Linux kernel developers work with.\r\n\r\nIf you wish to be part of the process, please contact the documented email address and I will work with you that way.  Otherwise, to attempt to do development through this tool is impossible.","title":"Vendor statment from Linux Foundation"},{"category":"other","text":"Intel's previously published BHI technical paper, https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/branch-history-injection.html, cover this  report already, especially the hardening section. Additionally we will be publishing updated BHI guidance on April 9, 2024 in response to the new gadget that was found.","title":"Vendor statment from Intel"},{"category":"other","text":"The current known mechanisms to exploit this issue rely on unprivileged eBPF functionality. Unprivileged eBPF is disabled by default on Red Hat Enterprise Linux.","title":"Vendor statment from Red Hat"},{"category":"other","text":"We'd like to thank the researchers for their work. It helps improve our understanding of these types of vulnerabilities. Our engineering teams conducted a thorough review and determined that Apple silicon based systems are not vulnerable to this type of attack. While Intel based Macs may be susceptible in theory, we are not aware of any proof-of-concept that demonstrates actual exploitability on the platform. We will continue to monitor research in this area, and will work to protect our customers if anything changes.","title":"Vendor statment from Apple"},{"category":"other","text":"SUSE is affected by this problem, and has also been prebriefed by Intel.","title":"Vendor statment from SUSE Linux"},{"category":"other","text":"Fixes are provided to our customers","title":"Vendor statment from Wind River"},{"category":"other","text":"Update to SmartOS 20240418.  Further details are available on the illumos project statement.","title":"Vendor statment from Triton Data Center"},{"category":"other","text":"BHI mitigations will be added as part of illumos#16461, on the week of the disclosure.  Further details TBD, including guidance from distros.","title":"Vendor statment from Illumos"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/155143"},{"url":"https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html","summary":"https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html"},{"url":"https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/branch-history-injection.html","summary":"https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/branch-history-injection.html"},{"url":"https://www.vusec.net/projects/bhi-spectre-bhb/","summary":"https://www.vusec.net/projects/bhi-spectre-bhb/"},{"url":"https://vuls.cert.org/confluence/display/Wiki/Vulnerabilities+Associated+with+CPU+Speculative+Execution","summary":"https://vuls.cert.org/confluence/display/Wiki/Vulnerabilities+Associated+with+CPU+Speculative+Execution"},{"url":"https://www.commerce.senate.gov/2018/7/complex-cybersecurity-vulnerabilities-lessons-learned-from-spectre-and-meltdown","summary":"https://www.commerce.senate.gov/2018/7/complex-cybersecurity-vulnerabilities-lessons-learned-from-spectre-and-meltdown"},{"url":"https://www.economist.com/business/2018/01/11/spectre-and-meltdown-prompt-tech-industry-soul-searching","summary":"https://www.economist.com/business/2018/01/11/spectre-and-meltdown-prompt-tech-industry-soul-searching"},{"url":"https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7018.html","summary":"Reference(s) from vendor \"AMD\""}],"title":"Linux kernel on Intel systems is susceptible to Spectre v2 attacks","tracking":{"current_release_date":"2025-04-22T17:41:07+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#155143","initial_release_date":"2024-04-09 14:44:39.560075+00:00","revision_history":[{"date":"2025-04-22T17:41:07+00:00","number":"1.20250422174107.10","summary":"Released on 2025-04-22T17:41:07+00:00"}],"status":"final","version":"1.20250422174107.10"}},"vulnerabilities":[{"title":"A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems.","notes":[{"category":"summary","text":"A cross-privilege Spectre v2 vulnerability allows attackers to bypass all deployed mitigations, including the recent Fine(IBT), and to leak arbitrary Linux kernel memory on Intel systems."}],"cve":"CVE-2024-2201","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#155143"}],"product_status":{"known_affected":["CSAFPID-705d7e6a-39cc-11f1-8422-122e2785dc9f","CSAFPID-705dc9c4-39cc-11f1-8422-122e2785dc9f","CSAFPID-705e3314-39cc-11f1-8422-122e2785dc9f","CSAFPID-705e6884-39cc-11f1-8422-122e2785dc9f","CSAFPID-705f1482-39cc-11f1-8422-122e2785dc9f","CSAFPID-705f5c4e-39cc-11f1-8422-122e2785dc9f","CSAFPID-705ff7f8-39cc-11f1-8422-122e2785dc9f","CSAFPID-706070c0-39cc-11f1-8422-122e2785dc9f","CSAFPID-7060b10c-39cc-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-705eb3ca-39cc-11f1-8422-122e2785dc9f","CSAFPID-705fa226-39cc-11f1-8422-122e2785dc9f"]}},{"title":"Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.","notes":[{"category":"summary","text":"Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access."}],"cve":"CVE-2022-0001","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#155143"}],"product_status":{"known_affected":["CSAFPID-706153b4-39cc-11f1-8422-122e2785dc9f","CSAFPID-7061fd78-39cc-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-70625304-39cc-11f1-8422-122e2785dc9f","CSAFPID-70629652-39cc-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Wind River","product":{"name":"Wind River Products","product_id":"CSAFPID-705d7e6a-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Apple","product":{"name":"Apple Products","product_id":"CSAFPID-705dc9c4-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Amazon","product":{"name":"Amazon Products","product_id":"CSAFPID-705e0790-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Linux Foundation","product":{"name":"Linux Foundation Products","product_id":"CSAFPID-705e3314-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"SUSE Linux","product":{"name":"SUSE Linux Products","product_id":"CSAFPID-705e6884-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ARM Limited","product":{"name":"ARM Limited Products","product_id":"CSAFPID-705eb3ca-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Xen","product":{"name":"Xen Products","product_id":"CSAFPID-705f1482-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-705f5c4e-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-705fa226-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Triton Data Center","product":{"name":"Triton Data Center Products","product_id":"CSAFPID-705ff7f8-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Illumos","product":{"name":"Illumos Products","product_id":"CSAFPID-706070c0-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-7060b10c-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Wind River","product":{"name":"Wind River Products","product_id":"CSAFPID-706153b4-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Illumos","product":{"name":"Illumos Products","product_id":"CSAFPID-7061ace2-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-7061fd78-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AMD","product":{"name":"AMD Products","product_id":"CSAFPID-70625304-39cc-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Apple","product":{"name":"Apple Products","product_id":"CSAFPID-70629652-39cc-11f1-8422-122e2785dc9f"}}]}}