6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
7.4 High
AI Score
Confidence
High
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0005 Low
EPSS
Percentile
16.6%
A new cross-privilege Spectre v2 vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v2 branch history injection (BHI) are likely affected. An unauthenticated attacker can exploit this vulnerability to leak privileged memory from the CPU by speculatively jumping to a chosen gadget. Current research shows that existing mitigation techniques of disabling privileged eBPF and enabling (Fine)IBT are insufficient in stopping BHI exploitation against the kernel/hypervisor.
Speculative execution is an optimization technique in which a computer system performs some task preemptively to improve performance and provide additional concurrency as and when extra resources are available. However, these speculative executions leave traces of memory accesses or computations in the CPU’s cache, buffer, and branch predictors. Attackers can take advantage of these and, in some cases, also influence speculative execution paths via malicious software to infer privileged data that is part of a distinct execution. See article Spectre Side Channels for more information. Attackers exploiting Spectre v2 take advantage of the speculative execution of indirect branch predictors, which are steered to gadget code by poisoning the branch target buffer of a CPU used for predicting indirect branch addresses, leaking arbitrary kernel memory and bypassing all currently deployed mitigations.
Current mitigations rely on the unavailability of exploitable gadgets to eliminate the attack surface. However, researchers demonstrated that with the use of their gadget analysis tool, InSpectre Gadget, they can uncover new, exploitable gadgets in the Linux kernel and that those are sufficient at bypassing deployed Intel mitigations.
An attacker with access to CPU resources may be able to read arbitrary privileged data or system registry values by speculatively jumping to a chosen gadget.
Please update your software according to the recommendations from respective vendors with the latest mitigations available to address this vulnerability and its variants.
Thanks to Sander Wiebing, Alvise de Faveri Tron, Herbert Bos, and Cristiano Giuffrida from the VUSec group at VU Amsterdam for discovering and reporting this vulnerability, as well as supporting coordinated disclosure. This document was written by Dr. Elke Drennan, CISSP.
155143
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Notified: 2023-11-17 Updated: 2024-04-16
Statement Date: April 11, 2024
CVE-2022-0001 | Not Affected |
---|---|
CVE-2024-2201 | Affected |
We’d like to thank the researchers for their work. It helps improve our understanding of these types of vulnerabilities. Our engineering teams conducted a thorough review and determined that Apple silicon based systems are not vulnerable to this type of attack. While Intel based Macs may be susceptible in theory, we are not aware of any proof-of-concept that demonstrates actual exploitability on the platform. We will continue to monitor research in this area, and will work to protect our customers if anything changes.
Notified: 2023-12-12 Updated: 2024-04-09
Statement Date: March 25, 2024
CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Affected |
BHI mitigations will be added as part of illumos#<TBD>, on the week of the disclosure. Further details TBD, including guidance from distros.
Notified: 2023-11-14 Updated: 2024-04-09
Statement Date: March 27, 2024
CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Affected |
Intel’s previously published BHI technical paper, https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/branch-history-injection.html, cover this report already, especially the hardening section. Additionally we will be publishing updated BHI guidance on April 9, 2024 in response to the new gadget that was found.
Notified: 2023-11-22 Updated: 2024-04-09
Statement Date: November 22, 2023
CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Affected |
This will be handled by the normal hardware-vulnerability process that the Linux kernel developers work with.
If you wish to be part of the process, please contact the documented email address and I will work with you that way. Otherwise, to attempt to do development through this tool is impossible.
Notified: 2023-11-17 Updated: 2024-04-09
Statement Date: February 16, 2024
CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Affected |
The current known mechanisms to exploit this issue rely on unprivileged eBPF functionality. Unprivileged eBPF is disabled by default on Red Hat Enterprise Linux.
Notified: 2023-11-17 Updated: 2024-04-09
Statement Date: November 19, 2023
CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Affected |
SUSE is affected by this problem, and has also been prebriefed by Intel.
Notified: 2023-12-12 Updated: 2024-04-09
Statement Date: March 25, 2024
CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Affected |
Update to SmartOS 20240418. Further details are available on the illumos project statement.
Notified: 2024-01-31 Updated: 2024-04-09
Statement Date: January 31, 2024
CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Affected |
We have not received a statement from the vendor.
Notified: 2024-01-16 Updated: 2024-04-18
Statement Date: April 17, 2024
CVE-2022-0001 | Not Affected |
---|---|
CVE-2024-2201 | Not Affected |
We have not received a statement from the vendor.
Notified: 2024-01-16 Updated: 2024-04-09
Statement Date: January 19, 2024
CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Not Affected |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09
Statement Date: November 18, 2023
CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2024-04-11 Updated: 2024-04-11 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2024-01-10 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-14 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-22 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-22 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2024-01-16 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
Notified: 2023-11-17 Updated: 2024-04-09 CVE-2022-0001 | Unknown |
---|---|
CVE-2024-2201 | Unknown |
We have not received a statement from the vendor.
View all 32 vendors __View less vendors __
CVE IDs: | CVE-2022-0001 CVE-2024-2201 |
---|---|
API URL: | VINCE JSON |
Date Public: | 2024-04-09 Date First Published: |
vuls.cert.org/confluence/display/Wiki/Vulnerabilities+Associated+with+CPU+Speculative+Execution
www.commerce.senate.gov/2018/7/complex-cybersecurity-vulnerabilities-lessons-learned-from-spectre-and-meltdown
www.economist.com/business/2018/01/11/spectre-and-meltdown-prompt-tech-industry-soul-searching
www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/branch-history-injection.html
www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html
www.vusec.net/projects/bhi-spectre-bhb/
6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
7.4 High
AI Score
Confidence
High
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0005 Low
EPSS
Percentile
16.6%