CVE-2023-1998

Spectre v2 SMT mitigations problem in Linux kernel

Severity Score

5.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

NVD
RedHat

The Linux kernel allows userspace processes to enable mitigations by calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation feature as well as by using seccomp. We had noticed that on VMs of at least one major cloud provider, the kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The same behavior can be observed on a bare-metal machine when forcing the mitigation to IBRS on boot command line.

This happened because when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic that determined that STIBP was not needed. The IBRS bit implicitly protects against cross-thread branch target injection. However, with legacy IBRS, the IBRS bit was cleared on returning to userspace, due to performance reasons, which disabled the implicit STIBP and left userspace threads vulnerable to cross-thread branch target injection against which STIBP protects.

It was found that the Linux Kernel still left the victim process exposed to attacks in some cases even after enabling the spectre-BTI mitigation with prctl. The kernel failed to protect applications that attempted to protect against Spectre v2 leaving them open to attack from other processes running on the same physical core in another hyperthread.

*Credits: N/A

CVSS Scores

NISTv3.1 5.6

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-04-12 CVE Reserved
2023-04-20 CVE Published
2023-04-20 First Exploit
2024-07-26 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-203: Observable Discrepancy
CWE-1303: Non-Transparent Sharing of Microarchitectural Resources

CAPEC

CAPEC-663: Exploitation of Transient Instruction Execution

References (8)

URL	Tag	Source
https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d	Not Applicable
https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html	Mailing List
https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html	Mailing List

URL	Date	SRC
https://www.exploit-db.com/exploits/51384	2023-04-20
https://github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx	2024-08-02

URL	Date	SRC
https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d	2023-05-03

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-1998	2024-06-11
https://bugzilla.redhat.com/show_bug.cgi?id=2187257	2024-06-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.3 Search vendor "Linux" for product "Linux Kernel" and version " < 6.3"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected