Spectre just won't remain dead - TuxCare

Spectre just won’t remain dead

KernelCare Team

March 19, 2021


 Spectre just won't remain dead

Shortly after exploit code was found in a public repository, two new vulnerabilities (CVE-2020-27170 and CVE-2020-27171) have been found in the Linux Kernel code that protects against it.


Both vulnerabilities allow a local user to read kernel memory which could contain sensitive information like encryption keys. Proof-of-concept code has also been made available privately, but it is safe to assume it will eventually reach public outlets.

The code flaw is present on all kernel versions up to 5.12-rc3, the most up-to-date release candidate. All distributions are vulnerable. 

KernelCare patches for all supported distributions are being prepared and should start being available next week.

The first vulnerability, CVE-2020-27170, affects the way the kernel mitigation against speculative out-of-bounds loads work. Unprivileged code extending a specific Kernel BPF (Berkeley Packet Filtering) functionality had access to pointers and could perform unbound pointer arithmetic, which in turn could be weaponized as an attack vector for kernel memory content exfiltration. The pointer operations could be used because some of the pointers that the BPF exposes were not being limited correctly.


The second vulnerability, CVE-2020-27171, uses the same type of BPF program extension on 64bit systems, where again a pointer operation suffers from an off-by-one flaw. Due to the nature of computing devices, the first number is 0, rather than the more natural 1, and a common programming mistake is not accounting for this when performing mathematical operations. This off-by-one flaw would let a pointer be modified in a such a way that it would expose a 4GB block of kernel memory. Timed correctly, this could permit an unprivileged user to have access to protected memory locations.


The detailed vulnerability reports mention the existence of a privately disclosed Proof-of-concept for each vulnerability, but a sufficiently motivated attacker could gather sufficient information about the problem from the report to develop his/her own attack code.

Like what you're reading?
Get Important Content In Your Inbox.

Stay updated with the latest news and announcements from TuxCare.com


State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching