Log

AVG-1884 edited at 03 Aug 2021 15:56:49
Issues
CVE-2021-22140
+ CVE-2021-22147
+ CVE-2021-22148
+ CVE-2021-22149
CVE-2021-22149 created at 03 Aug 2021 15:56:49
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes
CVE-2021-35477 edited at 03 Aug 2021 15:49:13
Description
- An issue has been discovered in the Linux kernel mechanism to mitigate Speculative Store Bypass in BPF. On affected systems, an unprivileged BPF program can exploit any of
+ An issue has been discovered in the Linux kernel mechanism to mitigate Speculative Store Bypass in BPF. On affected systems, an unprivileged BPF program can exploit any of these issues to disclose the content of arbitrary kernel memory via a side-channel.
- these issues to disclose the content of arbitrary kernel memory via a side-channel.
When protecting memory operations against Speculative Store Bypass, the technique used by the BPF verifier to manage speculation is unreliable. Specifically, each potentially problematic memory store operations is sanitized by inserting a preempting store of zero value. The preempting store is incorrectly assumed to complete "fast" as it only depends on the BPF stack frame pointer. However a few different scenarios have been identified where this assumption is invalid, by demonstrating a dependent load instruction to speculatively execute ahead of the preempting store. Practical attacks have been shown to disclose content of arbitrary kernel memory via a side-channel.
CVE-2021-34556 edited at 03 Aug 2021 15:48:50
Description
- An issue has been discovered in the Linux kernel mechanism to mitigate Speculative Store Bypass in BPF. On affected systems, an unprivileged BPF program can exploit any of
+ An issue has been discovered in the Linux kernel mechanism to mitigate Speculative Store Bypass in BPF. On affected systems, an unprivileged BPF program can exploit any of these issues to disclose the content of arbitrary kernel memory via a side-channel.
- these issues to disclose the content of arbitrary kernel memory via a side-channel.
+ When identifying memory store operations to be protected against Speculative Store Bypass, any uninitialized BPF stack locations are not considered. And so for each BPF stack location, the BPF verifier never attempts to protect the first store operation. Further, the BPF stack is allocated without any sanitation of preexisting memory content. Thus any later load instruction, that depends on the unprotected store, may speculatively execute ahead of the store to use unsanitized memory. Whenever it is possible to control content of the unsanitized memory before running the BPF program, this issue can be abused to perform speculative load from arbitrary memory location. A practical attack has been demonstrated to disclose content of arbitrary kernel memory via a side-channel.
- When identifying memory store operations to be protected against Speculative Store Bypass, any uninitialized BPF stack locations are not considered. And so for each BPF stack
- location, the BPF verifier never attempts to protect the first store operation. Further, the BPF stack is allocated without any sanitation of preexisting memory content. Thus any later load instruction, that depends on the unprotected store, may speculatively execute ahead of the store to use unsanitized memory. Whenever it is possible to control content of the unsanitized memory before running the BPF program, this issue can be abused to perform speculative load from arbitrary memory location. A practical attack has been demonstrated to disclose content of arbitrary kernel memory via a side-channel.
AVG-2237 edited at 03 Aug 2021 14:47:37
Status
- Vulnerable
+ Fixed
Fixed
+ 1:0.11.10-1
CVE-2021-37601 edited at 03 Aug 2021 14:47:13
References
https://prosody.im/security/advisory_20210722/
https://prosody.im/security/advisory_20210722/1.patch
+ https://hg.prosody.im/0.11/rev/d117b92fd8e4
ASA-202108-4 edited at 03 Aug 2021 14:14:13
ASA-202108-3 edited at 03 Aug 2021 14:14:10
ASA-202108-2 edited at 03 Aug 2021 14:14:07
ASA-202108-1 edited at 03 Aug 2021 14:14:03
ASA-202108-4 edited at 03 Aug 2021 13:25:19
Impact
+ A remote attacker could execute arbitrary code, disclose sensitive information, or spoof content through crafted web pages.