Ubuntu.comUB:CVE-2023-1998CVE-2023-1998
5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:H/Au:S/C:P/I:N/A:N
0 Low
EPSS
Percentile
14.0%
The Linux kernel allows userspace processes to enable mitigations by
calling prctl with PR_SET_SPECULATION_CTRL which disables the speculation
feature as well as by using seccomp. We had noticed that on VMs of at least
one major cloud provider, the kernel still left the victim process exposed
to attacks in some cases even after enabling the spectre-BTI mitigation
with prctl. The same behavior can be observed on a bare-metal machine when
forcing the mitigation to IBRS on boot command line. This happened because
when plain IBRS was enabled (not enhanced IBRS), the kernel had some logic
that determined that STIBP was not needed. The IBRS bit implicitly protects
against cross-thread branch target injection. However, with legacy IBRS,
the IBRS bit was cleared on returning to userspace, due to performance
reasons, which disabled the implicit STIBP and left userspace threads
vulnerable to cross-thread branch target injection against which STIBP
protects.
Bugs
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux | < 5.4.0-152.169 | UNKNOWN |
| ubuntu | 22.04 | noarch | linux | < 5.15.0-75.82 | UNKNOWN |
| ubuntu | 22.10 | noarch | linux | < 5.19.0-45.46 | UNKNOWN |
| ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-aws | < 5.4.0-1104.112 | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1038.43 | UNKNOWN |
| ubuntu | 22.10 | noarch | linux-aws | < 5.19.0-1027.28 | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1038.43~20.04.1 | UNKNOWN |
| ubuntu | 18.04 | noarch | linux-aws-5.4 | < any | UNKNOWN |
References
git.kernel.org/linus/6921ed9049bc7457f66c1596c5b78aec0dae4a9d (6.3-rc1)
github.com/google/security-research/security/advisories/GHSA-mj4w-6495-6crx
kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d
launchpad.net/bugs/cve/CVE-2023-1998
nvd.nist.gov/vuln/detail/CVE-2023-1998
security-tracker.debian.org/tracker/CVE-2023-1998
ubuntu.com/security/notices/USN-6033-1
ubuntu.com/security/notices/USN-6171-1
ubuntu.com/security/notices/USN-6172-1
ubuntu.com/security/notices/USN-6185-1
ubuntu.com/security/notices/USN-6187-1
ubuntu.com/security/notices/USN-6207-1
ubuntu.com/security/notices/USN-6222-1
ubuntu.com/security/notices/USN-6223-1
ubuntu.com/security/notices/USN-6256-1
www.cve.org/CVERecord?id=CVE-2023-1998
Related
5.6 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
HIGH
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:H/Au:S/C:P/I:N/A:N
0 Low
EPSS
Percentile
14.0%