SUSE Support

Here When You Need Us

SWAPGS speculative execution and speculative only segment loads CPU vulnerabilities

This document (7023930) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15
SUSE Linux Enterprise Server 12

Situation

This advisory (CVE-2019-1125) covers multiple vulnerabilities: SWAPGS speculative execution and speculative only segment loads CPU vulnerabilities

CVE-2019-1125 SWAPGS speculative execution 

At this point in time, no exploits for this vulnerability are known, and we assume that this CVE is generally not easily exploitable.

Running sensitive code on the same system as malicious user, can allow them to potentially gain access to sensitive kernel information and execute instructions with wrong data.

Impact: 
This vulnerability leads to a kernel information disclosure which might allow an attacker to learn the memory map and manage to point to a different position in order to execute other instructions. 
Exploitation is difficult and will probably not happen as a stand-alone attack but would need to be part of a larger attack chain. 
Because of that we currently see this as a low risk for our customers

Mitigation : 
The vulnerability can be mitigated by OS level fixes. SUSE provides updates for the affected kernels.
All customers should make sure to update their systems as soon as the fix is released.

Technical Background :
SWAP GS (swap GS Base Register) is a privileged CPU instruction, working without a kernel stack, for exchanging the current GS base register with an address provided in the MSR (Machine Specific Register) set. Linux uses GS Base Register to access cpu-specific memory.  By leveraging this instruction, an earlier vulnerability mitigation –  KPTI (Kernel page table isolation)/KVA mitigation, see TID 7022514, also known as Spectre / Meltdown –  could be bypassed, leading to kernel info disclosure.

This vulnerability would be used by loading up a %GS value in userspace, and waiting for SWAPGS, which for example might happen on ring transition; occasionally some speculative branches (by the CPU speculative execution engine) may hop over the SWAPGS opcode, and then speculatively  use the user specified %GS value instead of the original kernel %GS. 

This may lead to two potential attacks:
A) Userspace can read KERN_GS, and by doing so bypass the Kernel Address Space Layout Randomization (KASLR) or find an interesting address to point a different write-gadget at.
B) An attacker may manage to execute instructions with a wrong gs_base (this is Spectre V1, see TID 7022514)

Speculative Only Segment Loads

This is similar to the SWAPGS speculative execution described above

This advisory covers two issues:
A) Use of stale segment register values
Running malicious code may speculatively write faulty data on the segment register which might lead to the execution of an operation with unintended data.

Impact :
An attacker may manage to learn information about the memory layout. Additionally, using this flaw an attacker can decrease the discover-ability of existing attacks.
This vulnerability is hard to exploit. It might be used as part of a larger exploit chain, but at the moment the risk raised by it is low. 

Mitigation :
For this flaw no specific patch is available. However, previously applied patches against other hardware level issues (e.g. Spectre variant 2) mitigate the issue. Customers should make sure to have all their systems patched, and reviewed the mitigation settings with their security teams.

B) Bound Check Bypass Store on descriptor table
Running malicious code might lead to bypassing specific bound checks

Impact :
This risk is negligible on modern operating systems since the problematic checks are not in use

Mitigation : 
This is not applicable (N/A).
SUSE has not prepared any patches for this issue, and does not plan to do so.


Resolution

  • CVE-2019-1125 "SWAPGS speculative execution"
Updates for the affected kernels will be provided.
All customers should make sure to update their systems as soon as the fix are released.

  • Speculative Only Segment Loads
Regarding Mitigation of issue A :
For this flaw no specific patch is available. However, previously applied patches against other hardware level issue (e.g. Spectre variant 2) mitigate the issue.

Regarding Mitigation of issue B :
This issue is not applicable (N/A).
This risk is negligible on modern operating systems since the checks that might be bypassed aren't used.
SUSE has not prepared additional patches for this.

Cause

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7023930
  • Creation Date: 12-Jun-2019
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.