CVE-2022-23960

First published: Tue Mar 08 2022(Updated: )

A new cache speculation vulnerability known as Branch History Injection (BHI) or Spectre-BHB was found. Spectre-BHB is similar to Spectre v2, except that malicious code uses the shared branch history (stored in the CPU Branch History Buffer, or BHB) to influence mispredicted branches within the victim's own hardware context. Once that occurs, speculation caused by mispredicted branches can be used to cause cache allocation, which can then be used to infer information that should not be accessible.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/kernel	<0:4.18.0-425.3.1.el8	0:4.18.0-425.3.1.el8
Xen Xen
Arm Cortex-a57
Arm Cortex-a65
Arm Cortex-a65ae
Arm Cortex-a710
Arm Cortex-a72
Arm Cortex-a73
Arm Cortex-a75
Arm Cortex-a76
Arm Cortex-a76ae
Arm Cortex-a77
Arm Cortex-a78
Arm Cortex-a78ae
Arm Cortex-r7
Arm Cortex-r8
Arm Cortex-x1
Arm Cortex-x2
Arm Neoverse-e1
Arm Neoverse-v1
Arm Neoverse N1
Arm Neoverse N2
Arm Cortex-r7 Firmware
Arm Cortex-r8 Firmware
Arm Cortex-a57 Firmware
Arm Cortex-a65 Firmware
Arm Cortex-a65ae Firmware
Arm Cortex-a710 Firmware
Arm Cortex-a72 Firmware
Arm Cortex-a73 Firmware
Arm Cortex-a75 Firmware
Arm Cortex-a76 Firmware
Arm Cortex-a76ae Firmware
Arm Cortex-a77 Firmware
Arm Cortex-a78 Firmware
Arm Cortex-a78ae Firmware
Arm Cortex-x1 Firmware
Arm Cortex-x2 Firmware
Arm Neoverse-e1 Firmware
Arm Neoverse-v1 Firmware
Arm Neoverse N1 Firmware
Arm Neoverse N2 Firmware
Debian Debian Linux	=9.0
Debian Debian Linux	=10.0
Google Android
All of
Xen Xen
Any of
Arm Cortex-a57
Arm Cortex-a65
Arm Cortex-a65ae
Arm Cortex-a710
Arm Cortex-a72
Arm Cortex-a73
Arm Cortex-a75
Arm Cortex-a76
Arm Cortex-a76ae
Arm Cortex-a77
Arm Cortex-a78
Arm Cortex-a78ae
Arm Cortex-r7
Arm Cortex-r8
Arm Cortex-x1
Arm Cortex-x2
Arm Neoverse-e1
Arm Neoverse-v1
Arm Neoverse N1
Arm Neoverse N2
All of
Arm Cortex-r7 Firmware
Arm Cortex-r7
All of
Arm Cortex-r8 Firmware
Arm Cortex-r8
All of
Arm Cortex-a57 Firmware
Arm Cortex-a57
All of
Arm Cortex-a65 Firmware
Arm Cortex-a65
All of
Arm Cortex-a65ae Firmware
Arm Cortex-a65ae
All of
Arm Cortex-a710 Firmware
Arm Cortex-a710
All of
Arm Cortex-a72 Firmware
Arm Cortex-a72
All of
Arm Cortex-a73 Firmware
Arm Cortex-a73
All of
Arm Cortex-a75 Firmware
Arm Cortex-a75
All of
Arm Cortex-a76 Firmware
Arm Cortex-a76
All of
Arm Cortex-a76ae Firmware
Arm Cortex-a76ae
All of
Arm Cortex-a77 Firmware
Arm Cortex-a77
All of
Arm Cortex-a78 Firmware
Arm Cortex-a78
All of
Arm Cortex-a78ae Firmware
Arm Cortex-a78ae
All of
Arm Cortex-x1 Firmware
Arm Cortex-x1
All of
Arm Cortex-x2 Firmware
Arm Cortex-x2
All of
Arm Neoverse-e1 Firmware
Arm Neoverse-e1
All of
Arm Neoverse-v1 Firmware
Arm Neoverse-v1
All of
Arm Neoverse N1 Firmware
Arm Neoverse N1
All of
Arm Neoverse N2 Firmware
Arm Neoverse N2
debian/linux		5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.11.10-1 6.12.5-1

Remedy

Disabling unprivileged eBPF effectively mitigates the known attack vectors for exploiting intra-mode branch injections attacks. The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. For the Red Hat Enterprise Linux 7, the eBPF for unprivileged users is always disabled. For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command: # cat /proc/sys/kernel/unprivileged_bpf_disabled The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.

Remedy

http://www.openwall.com/lists/oss-security/2022/03/18/2

Remedy

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Remedy

To mitigate the primary known attack vector, disable unprivileged eBPF: $ sudo sysctl kernel.unprivileged_bpf_disabled=1 or $ sudo sysctl kernel.unprivileged_bpf_disabled=2

CVE-2022-23960

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact