Can you explain this vulnerability to me?

This vulnerability involves the Linux kernel running on Hyper-V virtual machines (VMs) with hardware that supports Indirect Branch Tracking (IBT). Hyper-V VMs with ConfigVersion 9.3 or later support IBT, but there is a bug where the hypercall page does not start with the required ENDBR64 instruction. Since hypercalls use indirect calls to this page, the absence of ENDBR64 causes all hypercall attempts to fail, leading to exceptions and Linux kernel panics. A fix is underway in Hyper-V to add the ENDBR64 instruction, but meanwhile, Linux disables IBT if the hypercall page lacks ENDBR to prevent panics, allowing the VM to boot and run without IBT.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause Linux virtual machines running on Hyper-V with IBT-enabled hardware to experience kernel panics due to failed hypercalls. This results in system crashes and instability, potentially causing downtime or loss of service in affected environments. The workaround disables IBT to prevent panics, which may reduce security protections related to indirect branch tracking but allows the VM to continue running.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that your Hyper-V environment is updated with the fix that adds the ENDBR64 instruction at the beginning of the hypercall page. Meanwhile, the Linux kernel disables IBT (Indirect Branch Tracking) if the hypercall page lacks the ENDBR instruction, preventing panics. Therefore, updating your Linux kernel to a version that includes this fix will help avoid the panic. Additionally, monitor for Hyper-V updates that address this issue.

Useful 0 Not Useful 0