Описание
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.
A flaw was found in the Linux kernels eBPF verification code. By default accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. A flaw that triggers Integer underflow when restricting speculative pointer arithmetic allows unprivileged local users to leak the content of kernel memory. The highest threat from this vulnerability is to data confidentiality.
Отчет
The default Red Hat Enterprise Linux kernel differs from the upstream, that prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl.
The setting of 1 would mean that unprivileged users can not use eBPF (which is a default setting), and this mitigating the flaw.
This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space, and may even cause a denial-of-service problem.
Меры по смягчению последствий
The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space. For the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled. For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command:
cat /proc/sys/kernel/unprivileged_bpf_disabled
The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.
Затронутые пакеты
Платформа | Пакет | Состояние | Рекомендация | Релиз |
---|---|---|---|---|
Red Hat Enterprise Linux 6 | kernel | Not affected | ||
Red Hat Enterprise Linux 7 | kernel | Affected | ||
Red Hat Enterprise Linux 7 | kernel-alt | Not affected | ||
Red Hat Enterprise Linux 7 | kernel-rt | Affected | ||
Red Hat Enterprise Linux 8 | kernel | Affected | ||
Red Hat Enterprise Linux 8 | kernel-rt | Affected | ||
Red Hat Enterprise Linux 9 | kernel | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6 Medium
CVSS3
Связанные уязвимости
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/ ...
An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.
EPSS
6 Medium
CVSS3