Two critical vulnerabilities in Linux allow hackers to obtain data from kernel memory

Cybersecurity specialists reported the finding of two severe vulnerabilities in Linux-based operating systems that could allow threat actors to bypass the mitigations implemented to prevent Spectre and Meltdown attacks, leading to a kernel memory leak.

Tracked as CVE-2020-27170 and CVE-2020-27171, the two flaws received a score of 5.5/10 according to the Common Vulnerability Scoring System (CVSS) and reside in all Linux kernel versions prior to 5.11.8. The reports were submitted by Symantic Threat Hunter’s Piotr Krysiuk.

While CVE-2020-27170 can be exploited to reveal content from any location within kernel memory, threat actors can exploit CVE-2020-27171 to retrieve data in a range of 4GB of kernel memory.

About Spectre and Meltdown, it should be remembered that these attack variants were first detected in early 2018 and allow malicious hackers to abuse some security weaknesses in modern processors to filter potentially sensitive information by dodging the limits imposed by the hardware between two different programs.

This attack variant could also be triggered using compromised websites to run malicious JavaScript. Since its detection, the cybersecurity community has sought to implement the best measures to prevent these attacks, although new, fully functional forms of exploitation are constantly appearing.

These flaws are based on kernel support abuse for Extended Berkeley Packet Filters (eBPF) to extract content from memory: “Non-privileged BPF programs running on Linux distributions could bypass these security measures to deliver speculative payloads outside the established limits, generating severe risk conditions” the report says.

The specialists mentions that vulnerable kernel versions perform unwanted speculations outside the hardware limits, so mitigations against Spectre and Meltdown become little functional: “In the wild, threat actors could exploit these flaws to access potentially sensitive information shared within the vulnerable system,” Symantec adds.

Researchers conclude by mentioning that the flaws could be exploited if malicious hackers manage to access the vulnerable device through a previous malware infection, as a specific malware variant was required for the exploitation of these flaws. Just a couple of weeks ago Google researchers revealed a proof of concept (PoC) in JavaScript, demonstrating the possibilities for exploiting these flaws in the wild.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.