Apr 10, 2024NewsroomHardware Security / Linux

Cybersecurity researchers have disclosed what they say is the “first native Spectre v2 exploit” against the Linux kernel on Intel systems that could be exploited to read sensitive data from the memory.

The exploit, called Native Branch History Injection (BHI), can be used to leak arbitrary kernel memory at 3.5 kB/sec by bypassing existing Spectre v2/BHI mitigations, researchers from Systems and Network Security Group (VUSec) at Vrije Universiteit Amsterdam said in a new study.

The shortcoming is being tracked as CVE-2024-2201.

BHI was first disclosed by VUSec in March 2022, describing it as a technique that can get around Spectre v2 protections in modern processors from Intel, AMD, and Arm.

While the attack leveraged extended Berkeley Packet Filters (eBPFs), Intel’s recommendations to address the problem, among other things, were to disable Linux’s unprivileged eBPFs.

“Privileged managed runtimes that can be configured to allow an unprivileged user to generate and execute code in a privileged domain — such as Linux’s ‘unprivileged eBPF’ — significantly increase the risk of transient execution attacks, even when defenses against intra-mode [Branch Target Injection] are present,” Intel said at the time.

“The kernel can be configured to deny access to unprivileged eBPF by default, while still allowing administrators to enable it at runtime where needed.”

Native BHI neutralizes this countermeasure by showing that BHI is possible without eBPF. It impacts all Intel systems that are susceptible to BHI.

As a result, it makes it feasible for an attacker with access to CPU resources to influence speculative execution paths via malicious software installed on a machine with the goal of extracting sensitive data that are associated with a different process.

“Existing mitigation techniques of disabling privileged eBPF and enabling (Fine)IBT are insufficient in stopping BHI exploitation against the kernel/hypervisor,” the CERT Coordination Center (CERT/CC) said in an advisory.

“An unauthenticated attacker can exploit this vulnerability to leak privileged memory from the CPU by speculatively jumping to a chosen gadget.”

The flaw has been confirmed to affect Illumos, Intel, Red Hat, SUSE Linux, Triton Data Center, and Xen. AMD, in a bulletin, said it’s “aware of any impact” on its products.

The disclosure comes weeks after IBM and VUSec detailed GhostRace (CVE-2024-2193), a variant of Spectre v1 that employs a combination of speculative execution and race conditions to leak data from contemporary CPU architectures.

It also follows new research from ETH Zurich that disclosed a family of attacks dubbed Ahoi Attacks that could be used to compromise hardware-based trusted execution environments (TEEs) and break confidential virtual machines (CVMs) like AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) and Intel Trust Domain Extensions (TDX).

The attacks, codenamed Heckler and WeSee, make use of malicious interrupts to break the integrity of CVMs, potentially allowing threat actors to remotely log in and gain elevated access, as well as perform arbitrary read, write, and code injection to disable firewall rules and open a root shell.

“For Ahoi Attacks, an attacker can use the hypervisor to inject malicious interrupts to the victim’s vCPUs and trick it into executing the interrupt handlers,” the researchers said. “These interrupt handlers can have global effects (e.g., changing the register state in the application) that an attacker can trigger to compromise the victim’s CVM.”

In response to the findings, AMD said the vulnerability is rooted in the Linux kernel implementation of SEV-SNP and that fixes addressing some of the issues have been upstreamed to the main Linux kernel.

Feb 29, 2024NewsroomRootkit / Threat Intelligence

The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts.

The vulnerability in question is CVE-2024-21338 (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part of Patch Tuesday updates.

“To exploit this vulnerability, an attacker would first have to log on to the system,” Microsoft said. “An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”

While there were no indications of active exploitation of CVE-2024-21338 at the time of the release of the updates, Redmond on Wednesday revised its “Exploitability assessment” for the flaw to “Exploitation Detected.”

Cybersecurity vendor Avast, which discovered an in-the-wild admin-to-kernel exploit for the bug, said the kernel read/write primitive achieved by weaponizing the flaw allowed the Lazarus Group to “perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit.”

The FudModule rootkit was first reported by ESET and AhnLab in October 2022 as capable of disabling the monitoring of all security solutions on infected hosts by means of what’s called a Bring Your Own Vulnerable Driver (BYOVD) attack, wherein an attacker a driver susceptible to a known or zero-day flaw to escalate privileges.

What makes the latest attack significant is that it goes “beyond BYOVD by exploiting a zero-day in a driver that’s known to be already installed on the target machine.” That susceptible driver is appid.sys, which is crucial to the functioning of a Windows component called AppLocker that’s responsible for application control.

The real-world exploit devised by the Lazarus Group entails using CVE-2024-21338 in the appid.sys driver to execute arbitrary code in a manner that bypasses all security checks and runs the FudModule rootkit.

“FudModule is only loosely integrated into the rest of Lazarus’ malware ecosystem and that Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances,” security researcher Jan Vojtěšek said, describing the malware as under active development.

Besides taking steps to sidestep detection by disabling system loggers, FudModule is engineered to turn off specific security software such as AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus (formerly Windows Defender).

The development marks a new level of technical sophistication associated with North Korean hacking groups, continuously iterating its arsenal for improved stealth and functionality. It also illustrates the elaborate techniques employed to hinder detection and make their tracking much harder.

The adversarial collective’s cross-platform focus is also exemplified by the fact that it has been observed using bogus calendar meeting invite links to stealthily install malware on Apple macOS systems, a campaign that was previously documented by SlowMist in December 2023.

“Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors,” Vojtěšek said. “The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal.”