CVE-2022-23960
First published: Tue Mar 08 2022(Updated: )
A new cache speculation vulnerability known as Branch History Injection (BHI) or Spectre-BHB was found. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's own hardware context. Once that occurs, speculation caused by mispredicted branches can be used to cause cache allocation, which can then be used to infer information that should not be accessible.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel | <0:4.18.0-425.3.1.el8 | 0:4.18.0-425.3.1.el8 |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.13-1 | |
| Android | ||
| All of | ||
| Xen xen-unstable | ||
| Any of | ||
| Arm Cortex-A57 Firmware | ||
| Arm Cortex-A65 Firmware | ||
| Arm Cortex-A65AE Firmware | ||
| Arm Cortex-A710 Firmware | ||
| Arm Cortex-A72 | ||
| ARM Cortex-A73 Firmware | ||
| Arm Cortex-A75 | ||
| Arm Cortex-A76 Firmware | ||
| Arm Cortex-A76AE Firmware | ||
| Arm Cortex-A77 Firmware | ||
| ARM Cortex-A78 Firmware | ||
| Arm Cortex-A78AE Firmware | ||
| Arm Cortex-R7 Firmware | ||
| ARM Cortex-R8 | ||
| Arm Cortex-X1 | ||
| Arm Cortex-X2 Firmware | ||
| Arm Neoverse E1 Firmware | ||
| Arm Neoverse-V1 Firmware | ||
| Arm Neoverse N1 | ||
| Arm Neoverse N2 | ||
| All of | ||
| Arm Cortex-R7 | ||
| Arm Cortex-R7 Firmware | ||
| All of | ||
| ARM Cortex-R8 | ||
| ARM Cortex-R8 | ||
| All of | ||
| Arm Cortex-A57 | ||
| Arm Cortex-A57 Firmware | ||
| All of | ||
| Arm Cortex-A65 Firmware | ||
| Arm Cortex-A65 Firmware | ||
| All of | ||
| Arm Cortex-A65AE Firmware | ||
| Arm Cortex-A65AE Firmware | ||
| All of | ||
| Arm Cortex-A710 Firmware | ||
| Arm Cortex-A710 Firmware | ||
| All of | ||
| ARM Cortex-A72 Firmware | ||
| Arm Cortex-A72 | ||
| All of | ||
| ARM Cortex-A73 Firmware | ||
| ARM Cortex-A73 Firmware | ||
| All of | ||
| Arm Cortex-A75 Firmware | ||
| Arm Cortex-A75 | ||
| All of | ||
| Arm Cortex-A76 Firmware | ||
| Arm Cortex-A76 Firmware | ||
| All of | ||
| Arm Cortex-A76AE Firmware | ||
| Arm Cortex-A76AE Firmware | ||
| All of | ||
| Arm Cortex-A77 Firmware | ||
| Arm Cortex-A77 Firmware | ||
| All of | ||
| ARM Cortex-A78 Firmware | ||
| ARM Cortex-A78 Firmware | ||
| All of | ||
| Arm Cortex-A78AE Firmware | ||
| Arm Cortex-A78AE Firmware | ||
| All of | ||
| Arm Cortex-X1 | ||
| Arm Cortex-X1 | ||
| All of | ||
| Arm Cortex-X2 Firmware | ||
| Arm Cortex-X2 Firmware | ||
| All of | ||
| Arm Neoverse E1 Firmware | ||
| Arm Neoverse E1 Firmware | ||
| All of | ||
| Arm Neoverse v1 | ||
| Arm Neoverse-V1 Firmware | ||
| All of | ||
| Arm Neoverse N1 | ||
| Arm Neoverse N1 | ||
| All of | ||
| Arm Neoverse N2 | ||
| Arm Neoverse N2 | ||
| Debian | =9.0 | |
| Debian | =10.0 | |
| Xen xen-unstable | ||
| Arm Cortex-A57 Firmware | ||
| Arm Cortex-A65 Firmware | ||
| Arm Cortex-A65AE Firmware | ||
| Arm Cortex-A710 Firmware | ||
| Arm Cortex-A72 | ||
| ARM Cortex-A73 Firmware | ||
| Arm Cortex-A75 | ||
| Arm Cortex-A76 Firmware | ||
| Arm Cortex-A76AE Firmware | ||
| Arm Cortex-A77 Firmware | ||
| ARM Cortex-A78 Firmware | ||
| Arm Cortex-A78AE Firmware | ||
| Arm Cortex-R7 Firmware | ||
| ARM Cortex-R8 | ||
| Arm Cortex-X1 | ||
| Arm Cortex-X2 Firmware | ||
| Arm Neoverse E1 Firmware | ||
| Arm Neoverse-V1 Firmware | ||
| Arm Neoverse N1 | ||
| Arm Neoverse N2 | ||
| Arm Cortex-R7 | ||
| ARM Cortex-R8 | ||
| Arm Cortex-A57 | ||
| Arm Cortex-A65 Firmware | ||
| Arm Cortex-A65AE Firmware | ||
| Arm Cortex-A710 Firmware | ||
| ARM Cortex-A72 Firmware | ||
| ARM Cortex-A73 Firmware | ||
| Arm Cortex-A75 Firmware | ||
| Arm Cortex-A76 Firmware | ||
| Arm Cortex-A76AE Firmware | ||
| Arm Cortex-A77 Firmware | ||
| ARM Cortex-A78 Firmware | ||
| Arm Cortex-A78AE Firmware | ||
| Arm Cortex-X1 | ||
| Arm Cortex-X2 Firmware | ||
| Arm Neoverse E1 Firmware | ||
| Arm Neoverse v1 | ||
| Arm Neoverse N1 | ||
| Arm Neoverse N2 |
Remedy
Disabling unprivileged eBPF effectively mitigates the known attack vectors for exploiting intra-mode branch injections attacks. The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. For the Red Hat Enterprise Linux 7, the eBPF for unprivileged users is always disabled. For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command: # cat /proc/sys/kernel/unprivileged_bpf_disabled The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.
Remedy
To mitigate the primary known attack vector, disable unprivileged eBPF: $ sudo sysctl kernel.unprivileged_bpf_disabled=1 or $ sudo sysctl kernel.unprivileged_bpf_disabled=2
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-23960 https://nvd.nist.gov/vuln/detail/CVE-2022-23960 https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb
- https://bugzilla.redhat.com/show_bug.cgi?id=2062284
- https://access.redhat.com/errata/RHSA-2022:7683
- https://access.redhat.com/security/cve/cve-2022-23960
- https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
- https://developer.arm.com/support/arm-security-updates
- http://www.openwall.com/lists/oss-security/2022/03/18/2
- https://lists.debian.org/debian-lts-announce/2022/07/msg00000.html
- https://www.debian.org/security/2022/dsa-5173
- https://launchpad.net/bugs/cve/CVE-2022-23960
- https://access.redhat.com/errata/RHSA-2024:0930
- https://source.android.com/docs/security/bulletin/2023-01-01/#asterisk
- https://source.android.com/docs/security/bulletin/2023-01-01 (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23960
- https://nvd.nist.gov/vuln/detail/CVE-2022-23960
- https://security-tracker.debian.org/tracker/CVE-2022-23960
- https://ubuntu.com/security/CVE-2022-23960
- https://www.vusec.net/projects/bhi-spectre-bhb/
- https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb
- https://xenbits.xen.org/xsa/advisory-398.html
Frequently Asked Questions
What is the severity of CVE-2022-23960?
CVE-2022-23960 is classified as a high-severity vulnerability due to its potential impact on sensitive data.
How do I fix CVE-2022-23960?
To mitigate CVE-2022-23960, ensure that your system is updated to the latest kernel version that includes patches addressing the vulnerability.
Which systems are affected by CVE-2022-23960?
CVE-2022-23960 affects multiple systems, including versions of Red Hat kernel, Google Android, and various Arm Cortex processors.
What type of vulnerability is CVE-2022-23960?
CVE-2022-23960 is a cache speculation vulnerability categorized under the Spectre family, which utilizes branch history manipulation.
Is CVE-2022-23960 a confirmed exploitation?
As of now, there are no confirmed cases of exploitation specifically targeting CVE-2022-23960 in the wild.
- collector/redhat-cve
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-23960
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/last-modified-date
- agent/trending
- agent/references
- agent/remedy
- agent/description
- agent/source
- agent/event
- agent/author
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/android-source
- source/Android
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/google
- canonical/android
- vendor/xen
- canonical/xen xen-unstable
- vendor/arm
- canonical/arm cortex-a57 firmware
- canonical/arm cortex-a65 firmware
- canonical/arm cortex-a65ae firmware
- canonical/arm cortex-a710 firmware
- canonical/arm cortex-a72
- canonical/arm cortex-a73 firmware
- canonical/arm cortex-a75
- canonical/arm cortex-a76 firmware
- canonical/arm cortex-a76ae firmware
- canonical/arm cortex-a77 firmware
- canonical/arm cortex-a78 firmware
- canonical/arm cortex-a78ae firmware
- canonical/arm cortex-r7 firmware
- canonical/arm cortex-r8
- canonical/arm cortex-x1
- canonical/arm cortex-x2 firmware
- canonical/arm neoverse e1 firmware
- canonical/arm neoverse-v1 firmware
- canonical/arm neoverse n1
- canonical/arm neoverse n2
- canonical/arm cortex-r7
- canonical/arm cortex-a57
- canonical/arm cortex-a72 firmware
- canonical/arm cortex-a75 firmware
- canonical/arm neoverse v1
- vendor/debian
- canonical/debian
- version/debian/9.0
- version/debian/10.0