Security Vulnerability: Branch History Injection aka Inspectre Gadget aka CVE-2024-2201
This document (000021421) is provided subject to the disclaimer at the end of this document.
Environment
For a comprehensive list of affected products please review the SUSE CVE announcement .
Situation
Security researchers from VU Amsterdam have identified a new class of transient execution attacks that can lead information out of privileged OS parts, like the Linux kernel. The attack is a variant of and improvement to the Spectre V2 attack.
The mitigation for the Linux kernel happens at the user / kernel boundary and it can use either hardware or software mitigations.
Note that software mitigations will reduce performance depending on how many systemcalls are done by userland.
The mitigation for the Linux kernel happens at the user / kernel boundary and it can use either hardware or software mitigations.
Note that software mitigations will reduce performance depending on how many systemcalls are done by userland.
Resolution
SUSE will provide kernel updates to mitigate this issue, also some CPU Microcode updates are required for the hardware mitigation. Please refer to the Intel documentation to get exact levels, SUSE will provide the latest Intel CPU Microcode releases when they become available.
The kernel mitigation can be configured with a kernel commandline option.
* spectre_bhi=off
Unconditionally disable the mitigation.
* spectre_bhi=on
Unconditionally enable the mitigation.
If there is no hardware mitigation, the software mitigation will be enabled.
* spectre_bhi=auto
Enable the mitigation when the CPU supports the hardware mitigation
and if not, enable the software implementation for use in KVM hosts.
This option is also set from the "mitigations" global option.
Reporting
The mitigation status for BHI will be reported in the
/sys/devices/system/cpu/vulnerabilities/spectre_v2
sysfs file same as other Spectre V2 mitigations appended at the end of the current string
with comman (",") as delimiter.
Following entries are possible:
* BHI: Not affected
System is not affected by BHI.
* BHI: IBRS
System is protected by the IBRS hardware mitigation.
* BHI: Retpoline
System is protected by the retpoline mitigation.
* BHI: BHI_DIS_S
System is protected by the BHI_DIS_S mitigation.
* BHI: SW loop
System is protected by the software clearing sequence.
* BHI: Vulnerable
System is vulnerable to BHI attacks
Note that also if there is no reference of BHI in the sysfs variable, it means the system is vulnerable.
* BHI: Vulnerable; KVM: SW loop
System is vulnerable to BHI attacks from userspace; KVM is protected by software clearing sequence
The kernel mitigation can be configured with a kernel commandline option.
* spectre_bhi=off
Unconditionally disable the mitigation.
* spectre_bhi=on
Unconditionally enable the mitigation.
If there is no hardware mitigation, the software mitigation will be enabled.
* spectre_bhi=auto
Enable the mitigation when the CPU supports the hardware mitigation
and if not, enable the software implementation for use in KVM hosts.
This option is also set from the "mitigations" global option.
Reporting
The mitigation status for BHI will be reported in the
/sys/devices/system/cpu/vulnerabilities/spectre_v2
sysfs file same as other Spectre V2 mitigations appended at the end of the current string
with comman (",") as delimiter.
Following entries are possible:
* BHI: Not affected
System is not affected by BHI.
* BHI: IBRS
System is protected by the IBRS hardware mitigation.
* BHI: Retpoline
System is protected by the retpoline mitigation.
* BHI: BHI_DIS_S
System is protected by the BHI_DIS_S mitigation.
* BHI: SW loop
System is protected by the software clearing sequence.
* BHI: Vulnerable
System is vulnerable to BHI attacks
Note that also if there is no reference of BHI in the sysfs variable, it means the system is vulnerable.
* BHI: Vulnerable; KVM: SW loop
System is vulnerable to BHI attacks from userspace; KVM is protected by software clearing sequence
Status
Security Alert
Additional Information
SUSE CVE anncouncement:
https://www.suse.com/security/cve/CVE-2024-2201
Intel security advisory:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html
Researcher URL:
https://www.vusec.net/projects/native-bhi/
https://www.suse.com/security/cve/CVE-2024-2201
Intel security advisory:
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html
Researcher URL:
https://www.vusec.net/projects/native-bhi/
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021421
- Creation Date: 10-Apr-2024
- Modified Date:10-Apr-2024
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
- SUSE Manager Server
- SUSE Linux Enterprise Micro
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
