This advisory (CVE-2019-1125) covers multiple vulnerabilities: SWAPGS speculative execution and speculative only segment loads CPU vulnerabilities
CVE-2019-1125 SWAPGS speculative execution
At this point in time, no exploits for this vulnerability are known, and we assume that this CVE is generally not easily exploitable.
Running sensitive code on the same system as malicious user, can allow them to potentially gain access to sensitive kernel information and execute instructions with wrong data.
This vulnerability leads to a kernel information disclosure which might allow an attacker to learn the memory map and manage to point to a different position in order to execute other instructions.
Exploitation is difficult and will probably not happen as a stand-alone attack but would need to be part of a larger attack chain.
Because of that we currently see this as a low risk for our customers
The vulnerability can be mitigated by OS level fixes. SUSE provides updates for the affected kernels.
All customers should make sure to update their systems as soon as the fix is released.
Technical Background :
SWAP GS (swap GS Base Register) is a privileged CPU instruction, working without a kernel stack, for exchanging the current GS base register with an address provided in the MSR (Machine Specific Register) set. Linux uses GS Base Register to access cpu-specific memory. By leveraging this instruction, an earlier vulnerability mitigation – KPTI (Kernel page table isolation)/KVA mitigation, see TID 7022514
, also known as Spectre / Meltdown – could be bypassed, leading to kernel info disclosure.
This vulnerability would be used by loading up a %GS value in userspace, and waiting for SWAPGS, which for example might happen on ring transition; occasionally some speculative branches (by the CPU speculative execution engine) may hop over the SWAPGS opcode, and then speculatively use the user specified %GS value instead of the original kernel %GS.
This may lead to two potential attacks:
A) Userspace can read KERN_GS
, and by doing so bypass the Kernel Address Space Layout Randomization (KASLR
) or find an interesting address to point a different write-gadget at.
B) An attacker may manage to execute instructions with a wrong gs_base (this is Spectre V1, see TID 7022514
Speculative Only Segment Loads
This is similar to the SWAPGS speculative execution described above
This advisory covers two issues:
A) Use of stale segment register values
Running malicious code may speculatively write faulty data on the segment register which might lead to the execution of an operation with unintended data.Impact :
An attacker may manage to learn information about the memory layout. Additionally, using this flaw an attacker can decrease the discover-ability of existing attacks.
This vulnerability is hard to exploit. It might be used as part of a larger exploit chain, but at the moment the risk raised by it is low. Mitigation :
For this flaw no specific patch is available. However, previously applied patches against other hardware level issues (e.g. Spectre variant 2) mitigate the issue. Customers should make sure to have all their systems patched, and reviewed the mitigation settings with their security teams.
B) Bound Check Bypass Store on descriptor table
Running malicious code might lead to bypassing specific bound checksImpact :
This risk is negligible on modern operating systems since the problematic checks are not in useMitigation :
This is not applicable (N/A).
SUSE has not prepared any patches for this issue, and does not plan to do so.
- CVE-2019-1125 "SWAPGS speculative execution"
Updates for the affected kernels will be provided.
All customers should make sure to update their systems as soon as the fix are released.
- Speculative Only Segment Loads
Regarding Mitigation of issue A :
For this flaw no specific patch is available. However, previously applied patches against other hardware level issue (e.g. Spectre variant 2) mitigate the issue.
Regarding Mitigation of issue B :
This issue is not applicable (N/A).
This risk is negligible on modern operating systems since the checks that might be bypassed aren't used.
SUSE has not prepared additional patches for this.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.