Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2018-25020 CVE-2020-36322 CVE-2021-38199 CVE-2021-4197 CVE-2022-0001 CVE-2022-0002 CVE-2022-0330 CVE-2022-0435 CVE-2022-0617 CVE-2022-0847 CVE-2022-24448

Amazon Linux has been made aware of a potential Branch Target Injection (BTI) issue (sometimes referred to as Spectre variant 2). This is a known cross-domain transient execution attack where a third party may seek to cause a disclosure gadget to be speculatively executed after an indirect branch prediction. Generally, actors who attempt transient execution attacks do not have access to the data on the hosts they attempt to access (e.g. where privilege-level isolation is in place). For such attacks to succeed, actors need to be able to run code on the (virtual) machine hosting the data in which they are interested. To mitigate this issue, Amazon Linux recommends that customers disable unprivileged eBPF. This configuration, having the unprivileged eBPF disabled, is the current default for most Linux distributions and as of this advisory, is also the default for all Amazon Linux kernels. Specific mitigations for various CPUs are listed below. Intel CPUs: For Intel CPUs, this applies to all instance types that have CPUs with eIBRS support. They are: *6i* (all sizes), c5d.metal, c5.metal, g4dn.metal, i3en.metal, m5*.metal, r5*.metal Vectors outside of unprivileged eBPF are not currently known, and Intel recommends disabling unprivileged BPF, as mentioned above. However, optionally enabling "spectre_v2=eibrs,lfence" on Linux kernel command line on the instance types mentioned above, would provide additional protection. AMD CPUs:As part of the investigation triggered by this issue, AMD now recommends using a different software mitigation inside the Linux kernel, which the Amazon Linux kernel is enabling by default. This means that the Linux kernel will use the generic retpoline software mitigation, instead of the specialized AMD one, on AMD instances (*5a*). This is done by default, and no administrator action is needed. ARM CPUs:The Amazon Linux kernel now enables, by default, a software mitigation for this issue, on all ARM-based EC2 instance types. A buffer overflow flaw in the Linux kernel BPF subsystem was found in the way users run BPF with long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions. A local user could use this flaw to crash the system or escalate their privileges on the system. (CVE-2018-25020) A denial of service flaw was found in fuse_do_getattr in fs/fuse/dir.c in the kernel side of the FUSE filesystem in the Linux kernel. A local user could use this flaw to crash the system. (CVE-2020-36322) A flaw was found in the hanging of mounts in the Linux kernel's NFS4 subsystem where remote servers are unreachable for the client during migration of data from one server to another (during trunking detection). This flaw allows a remote NFS4 server (if the client is connected) to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-38199) An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system. (CVE-2021-4197) Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure. (CVE-2022-0001) Non-transparent sharing of branch predictor within a context in some Intel(r) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-0002) A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system. (CVE-2022-0330) A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network. (CVE-2022-0435) A NULL pointer dereference was found in the Linux kernel's UDF file system functionality in the way the user triggers the udf_file_write_iter function for a malicious UDF image. This flaw allows a local user to crash the system. (CVE-2022-0617) A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system. (CVE-2022-0847) A flaw was found in the Linux kernel. When an application tries to open a directory (using the O_DIRECTORY flag) in a mounted NFS filesystem, a lookup operation is performed. If the NFS server returns a file as a result of the lookup, the NFS filesystem returns an uninitialized file descriptor instead of the expected ENOTDIR value. This flaw leads to the kernel's data leak into the userspace. (CVE-2022-24448)

Source

ALAS2-2022-1761

Amazon Linux 2 Security Advisory: ALAS-2022-1761
Advisory Release Date: 2022-03-07 23:32 Pacific
Advisory Updated Date: 2022-03-08 19:26 Pacific

Severity: Important

References: CVE-2018-25020 CVE-2020-36322 CVE-2021-38199 CVE-2021-4197 CVE-2022-0001 CVE-2022-0002 CVE-2022-0330 CVE-2022-0435 CVE-2022-0617 CVE-2022-0847 CVE-2022-24448

Issue Overview:

Amazon Linux has been made aware of a potential Branch Target Injection (BTI) issue (sometimes referred to as Spectre variant 2). This is a known cross-domain transient execution attack where a third party may seek to cause a disclosure gadget to be speculatively executed after an indirect branch prediction. Generally, actors who attempt transient execution attacks do not have access to the data on the hosts they attempt to access (e.g. where privilege-level isolation is in place). For such attacks to succeed, actors need to be able to run code on the (virtual) machine hosting the data in which they are interested.

To mitigate this issue, Amazon Linux recommends that customers disable unprivileged eBPF. This configuration, having the unprivileged eBPF disabled, is the current default for most Linux distributions and as of this advisory, is also the default for all Amazon Linux kernels.

Specific mitigations for various CPUs are listed below.

Intel CPUs:
For Intel CPUs, this applies to all instance types that have CPUs with eIBRS support. They are:
*6i* (all sizes), c5d.metal, c5.metal, g4dn.metal, i3en.metal, m5*.metal, r5*.metal

Vectors outside of unprivileged eBPF are not currently known, and Intel recommends disabling unprivileged BPF, as mentioned above. However, optionally enabling "spectre_v2=eibrs,lfence" on Linux kernel command line on the instance types mentioned above, would provide additional protection.

AMD CPUs:
As part of the investigation triggered by this issue, AMD now recommends using a different software mitigation inside the Linux kernel, which the Amazon Linux kernel is enabling by default. This means that the Linux kernel will use the generic retpoline software mitigation, instead of the specialized AMD one, on AMD instances (*5a*). This is done by default, and no administrator action is needed.

ARM CPUs:
The Amazon Linux kernel now enables, by default, a software mitigation for this issue, on all ARM-based EC2 instance types.

A buffer overflow flaw in the Linux kernel BPF subsystem was found in the way users run BPF with long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions. A local user could use this flaw to crash the system or escalate their privileges on the system. (CVE-2018-25020)

A denial of service flaw was found in fuse_do_getattr in fs/fuse/dir.c in the kernel side of the FUSE filesystem in the Linux kernel. A local user could use this flaw to crash the system. (CVE-2020-36322)

A flaw was found in the hanging of mounts in the Linux kernel's NFS4 subsystem where remote servers are unreachable for the client during migration of data from one server to another (during trunking detection). This flaw allows a remote NFS4 server (if the client is connected) to starve the resources, causing a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-38199)

An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces subsystem was found in the way users have access to some less privileged process that are controlled by cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of control groups. A local user could use this flaw to crash the system or escalate their privileges on the system. (CVE-2021-4197)

Non-transparent sharing of branch predictor selectors between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure. (CVE-2022-0001)

Non-transparent sharing of branch predictor within a context in some Intel(r) Processors may allow an authorized user to potentially enable information disclosure via local access. (CVE-2022-0002)

A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may run malicious code on the GPU. This flaw allows a local user to crash the system or escalate their privileges on the system. (CVE-2022-0330)

A stack overflow flaw was found in the Linux kernel's TIPC protocol functionality in the way a user sends a packet with malicious content where the number of domain member nodes is higher than the 64 allowed. This flaw allows a remote user to crash the system or possibly escalate their privileges if they have access to the TIPC network. (CVE-2022-0435)

A NULL pointer dereference was found in the Linux kernel's UDF file system functionality in the way the user triggers the udf_file_write_iter function for a malicious UDF image. This flaw allows a local user to crash the system. (CVE-2022-0617)

A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system. (CVE-2022-0847)

A flaw was found in the Linux kernel. When an application tries to open a directory (using the O_DIRECTORY flag) in a mounted NFS filesystem, a lookup operation is performed. If the NFS server returns a file as a result of the lookup, the NFS filesystem returns an uninitialized file descriptor instead of the expected ENOTDIR value. This flaw leads to the kernel's data leak into the userspace. (CVE-2022-24448)

Affected Packages:

kernel

Issue Correction:
Run yum update kernel to update your system.

New Packages:

aarch64:
    kernel-4.14.268-205.500.amzn2.aarch64
    kernel-headers-4.14.268-205.500.amzn2.aarch64
    kernel-debuginfo-common-aarch64-4.14.268-205.500.amzn2.aarch64
    perf-4.14.268-205.500.amzn2.aarch64
    perf-debuginfo-4.14.268-205.500.amzn2.aarch64
    python-perf-4.14.268-205.500.amzn2.aarch64
    python-perf-debuginfo-4.14.268-205.500.amzn2.aarch64
    kernel-tools-4.14.268-205.500.amzn2.aarch64
    kernel-tools-devel-4.14.268-205.500.amzn2.aarch64
    kernel-tools-debuginfo-4.14.268-205.500.amzn2.aarch64
    kernel-devel-4.14.268-205.500.amzn2.aarch64
    kernel-debuginfo-4.14.268-205.500.amzn2.aarch64

i686:
    kernel-headers-4.14.268-205.500.amzn2.i686

src:
    kernel-4.14.268-205.500.amzn2.src

x86_64:
    kernel-4.14.268-205.500.amzn2.x86_64
    kernel-headers-4.14.268-205.500.amzn2.x86_64
    kernel-debuginfo-common-x86_64-4.14.268-205.500.amzn2.x86_64
    perf-4.14.268-205.500.amzn2.x86_64
    perf-debuginfo-4.14.268-205.500.amzn2.x86_64
    python-perf-4.14.268-205.500.amzn2.x86_64
    python-perf-debuginfo-4.14.268-205.500.amzn2.x86_64
    kernel-tools-4.14.268-205.500.amzn2.x86_64
    kernel-tools-devel-4.14.268-205.500.amzn2.x86_64
    kernel-tools-debuginfo-4.14.268-205.500.amzn2.x86_64
    kernel-devel-4.14.268-205.500.amzn2.x86_64
    kernel-debuginfo-4.14.268-205.500.amzn2.x86_64
    kernel-livepatch-4.14.268-205.500-1.0-0.amzn2.x86_64

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ALAS2-2022-1761

ALAS2-2022-1761

Vulmon Search

About

Products

Connect