Native BHI Threatens Linux: Critical Intel Flaw Exposed

Researchers at the University of Amsterdam have uncovered a novel attack methodology, Native BHI, that enables hackers to access data stored in the Linux kernel’s memory on computers equipped with Intel processors. This method poses a particularly severe threat in virtualized environments, as it allows an attacker to infiltrate the memory of the host or other virtual machines from their own virtual environment.

Native BHI (CVE-2024-2201) represents an evolution of the earlier BHI (Branch History Injection) vulnerability, CVE-2022-0001, identified in 2022. Unlike the initial approach, which necessitated a user executing specific eBPF code in the kernel to facilitate a successful attack, the new technique does not require such privileges and can be executed by any user.

Native BHI

The technique leverages specific command sequences (gadgets) within the kernel code, triggering speculative execution of instructions. The experts developed a toolkit, InSpectre Gadget, which detected a significant number of such gadgets in kernel version 6.6-rc4, enabling the crafting of an exploit to extract sensitive information (password hashes from the /etc/shadow file) at a rate of approximately 3.5 Kb/s.

BHI is a variant of the Spectre-v2 attack, aimed at circumventing the protective mechanisms of processors and operating systems. The core concept involves manipulating the history of executed branches in the processor to induce incorrect speculative execution and data extraction from the cache. This is achieved by embedding data in the global branch history buffer, distinguishing it from the earlier Spectre attack that utilized the branch prediction buffer.

Traditional protective mechanisms, such as Intel’s IBT (Indirect Branch Tracking) instructions and the software-hardware hybrid FineIBT, are ineffective against this new method of attack. In response, the Linux kernel has incorporated additional protective measures, including Intel’s hardware-based protections (BHI_DIS_S) and software solutions for the KVM hypervisor. Updates have been released for Linux kernel versions (6.8.5, 6.6.26, 6.1.85, and 5.15.154) and the Xen hypervisor, incorporating new security measures.

To safeguard against this vulnerability on the latest Intel processors, built-in hardware-based protections are recommended, while for older processor models, software-based methods have been proposed to prevent the exploitation of this flaw. The efficacy and performance impact of these software-based protective measures remain to be seen.