A new Spectre class speculative execution vulnerability, called Branch History Injection (BHI) or Spectre-BHB, was jointly disclosed on Tuesday by VUSec security research group and Intel. BHI is a proof of concept re-implementation of the Spectre V2 (or Spectre-BTI) type of attack. It affects any CPU that is also vulnerable to Spectre V2, even if mitigations for Spectre V2 have already been implemented; it can circumvent Intel’s eIBRS and Arm’s CSV2 mitigations. These mitigations protect from branch target injection, whereas the new exploit allows attackers to inject predictor entries into the global branch history. BHI can be used to leak arbitrary kernel memory, which means sensitive information like passwords can be compromised. VUSec explained it as follows: “BHI essentially is an extension of Spectre v2, where we leverage the global history to re-introduce the exploitation of cross-privilege BTI. Therefore the attacker primitive is still Spectre v2, but by injecting the history across privilege boundaries (BHI), we can exploit systems that deploy new in-hardware mitigations (i.e., Intel eIBRS and Arm CSV2).”
BHI exploit leaking arbitrary kernel memory in action The vulnerability affects any Intel CPU launched since Haswell, including Ice Lake-SP and Alder Lake. Affected Arm CPUs include Cortex A15/A57/A65/A72/A73/A75/A76/A77/A78/X1/X2/A710, Neoverse N2 / N1 / V1 and the Broadcom Brahma B15. CVE ID for Arm is CVE-2022-23960 and Intel is using the IDs CVE-2022-0001 and CVE-2022-0002. Both companies have posted more details about their affected CPUs here (Intel) and here (Arm). Intel has released the following statement regarding the BHI exploit: “The attack, as demonstrated by researchers, was previously mitigated by default in most Linux distributions. The Linux community has implemented Intel’s recommendations starting in Linux kernel version 5.16 and is in the process of backporting the mitigation to earlier versions of the Linux kernel. Intel released technical papers describing further mitigation options for those using non-default configurations and why the LFENCE; JMP mitigation is not sufficient in all cases.” AMD CPUs seem to be immune to BHI. According to Phoronix, team red processors that have defaulted to using Retpolines for Spectre V2 mitigations should be safe. Security patches from vendors should be released soon. In addition to installing them, researchers recommend disabling unprivileged eBPF support as an additional precautionary measure. Linux has already merged the security updates into its mainline kernel. Whether these security mitigations will impact performance is not yet known. Source code for VUSec’s exploit can be found here.