Ubuntu Wiki

Native BHI (Branch History Injection) (CVE-2024-2201)

Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida from the Vrije Universiteit Amsterdam discovered that some Intel® Processors can be manipulated by unprivileged user processes such that indirect calls in kernel space speculatively execute 'gadgets' that will disclose private information.

This attack uses different techniques to identify and potentially exploit gadgets that were not covered by previous BHI publication, also known as Spectre v2. The main difference when comparing to the original BHI attack is that it used eBPF, and the mitigation was to disable unprivileged eBPF. The new publication shows that attacks are still possible without eBPF.

For this goal, a tool called InSpectre Gadget, an in-depth Spectre gadget inspector, was created to analyze candidate gadgets that can be used to perform the attack. The tool is able to output candidates gadgets that can be triggered by a syscall to have its entry inserted in the BTB (Branch Target Buffer) and from there, a BHI attack could be performed. As this is not dependent on eBPF, the already proposed mitigations are not useful to stop the attack.

The CPU vendors response is: AMD and ARM stated that their existing mitigations are sufficient and Intel updated the BHI mitigation guidance with extra recommendations. No additional microcode update is needed.

Ubuntu kernels are being updated with Linux kernel upstream commits to support the boot parameter spectre_bhi that can control mitigation of BHI vulnerability by deploying the HW BHI control (enabling BHI_DIS_S on CPUs that support it) and SW BHB (Branch History Buffer) clearing sequence at privilege boundaries on other CPUs. The boot parameter being default as spectre_bhi=auto that sets CONFIG_BHI to enable (auto). Future releases will update this to enabled (on) following the Linux kernel upstream updates.

The first set of Ubuntu kernels to gain the new upstream mitigations are the 6.5 kernels for Ubuntu 23.10 and Ubuntu 22.04 LTS, to be released the week of April 29th, 2024.

References

• VUSec advisory with link to the research paper:

  • https://www.vusec.net/projects/native-bhi/

• Intel mitigation guidance (Updated with native BHI):

  • https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html

• InSpectre Gadget tool, gadget analysis results, and exploit code:

  • https://github.com/vusec/inspectre-gadget

• InSpectre Gadget documentation:

  • https://vusec.github.io/inspectre-gadget/

• Previous BHI KnowledgeBase article:

  • https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BHI

• Linux kernel spectre_bhi boot paramater documentation:

  • https://docs.kernel.org/admin-guide/kernel-parameters.html

• Linux kernel merge commit to mitigate native BHI:

  • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bb69f5fc72183e1c62547d900f560d0e9334925

• Linux kernel follow up commit to remove spectre_bhi=auto:

  • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=36d4fe147c870f6d3f6602befd7ef44393a1c87a

Updates

Ubuntu users are recommended to update to the latest kernel. The majority of users should ensure that the following kernel packages are installed:

Kernels derived from the above (e.g. cloud specific kernels) are also receiving the corresponding updates.

Timeline

• 2024 Apr 09: VUSec make the public disclosure
• 2024 XX XX: Updated Ubuntu kernels available

Public Cloud Image updates

• Amazon AWS: TBD
• Windows Azure: TBD
• Google Compute Engine: TBD
• Ubuntu Core Images: TBD

Cloud Images dailies will start appearing within 4 hours of the USN announcement. At the direction of the security team, the Cloud Image Team will start manually releasing new images to the public cloud.