PublicDateAtUSN: 2020-11-10 18:00:00 UTC Candidate: CVE-2020-8694 CRD: 2020-11-10 18:00:00 UTC PublicDate: 2020-11-12 18:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694 https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html https://platypusattack.com/ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Platypus https://ubuntu.com/security/notices/USN-4626-1 https://ubuntu.com/security/notices/USN-4627-1 Description: Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. Ubuntu-Description: Moritz Lipp, Michael Schwarz, Andreas Kogler, David Oswald, Catherine Easdon, Claudio Canella, and Daniel Gruss discovered that the Intel Running Average Power Limit (RAPL) driver in the Linux kernel did not properly restrict access to power data. A local attacker could possibly use this to expose sensitive information. Notes: sbeattie> fix will be to adjust the access control bits on the RAPL sysfs files. Mitigation: Restrict permissions on the affected sysfs entries: $ sudo find /sys/devices/virtual/powercap/ -name energy_uj -exec chmod 400 {} \; Bugs: Priority: medium Discovered-by: Moritz Lipp, Michael Schwarz, Andreas Kogler, David Oswald, Catherine Easdon, Claudio Canella, and Daniel Gruss Assigned-to: CVSS: upstream: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N [5.6 MEDIUM] nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [5.5 MEDIUM] Patches_linux: break-fix: 2d281d8196e38dd3a4ee9af26621ddde8329f269 949dd0104c496fa7c14991a23c03c62e44637e71|local-CVE-2020-8694 upstream_linux: released (5.10~rc4) precise/esm_linux: ignored (was needs-triage ESM criteria) trusty_linux: ignored (out of standard support) trusty/esm_linux: released (3.13.0-183.234) xenial_linux: released (4.4.0-194.226) esm-infra/xenial_linux: released (4.4.0-194.226) bionic_linux: released (4.15.0-123.126) eoan_linux: ignored (reached end-of-life) focal_linux: released (5.4.0-53.59) groovy_linux: released (5.8.0-28.30) devel_linux: not-affected (5.8.0-34.37+21.04.1) Patches_linux-hwe: upstream_linux-hwe: released (5.10~rc4) precise/esm_linux-hwe: DNE trusty_linux-hwe: DNE trusty/esm_linux-hwe: DNE xenial_linux-hwe: released (4.15.0-123.126~16.04.1) esm-infra/xenial_linux-hwe: released (4.15.0-123.126~16.04.1) bionic_linux-hwe: released (5.3.0-69.65) eoan_linux-hwe: DNE focal_linux-hwe: DNE groovy_linux-hwe: DNE devel_linux-hwe: DNE Patches_linux-hwe-edge: upstream_linux-hwe-edge: released (5.10~rc4) precise/esm_linux-hwe-edge: DNE trusty_linux-hwe-edge: DNE trusty/esm_linux-hwe-edge: DNE xenial_linux-hwe-edge: ignored (was needs-triage now end-of-life) esm-infra/xenial_linux-hwe-edge: ignored (was needs-triage now end-of-life) bionic_linux-hwe-edge: ignored (was needs-triage now end-of-life) eoan_linux-hwe-edge: DNE focal_linux-hwe-edge: DNE groovy_linux-hwe-edge: DNE devel_linux-hwe-edge: DNE Patches_linux-lts-trusty: upstream_linux-lts-trusty: released (5.10~rc4) precise/esm_linux-lts-trusty: released (3.13.0-183.234~12.04.1) trusty_linux-lts-trusty: DNE trusty/esm_linux-lts-trusty: DNE xenial_linux-lts-trusty: DNE bionic_linux-lts-trusty: DNE eoan_linux-lts-trusty: DNE focal_linux-lts-trusty: DNE groovy_linux-lts-trusty: DNE devel_linux-lts-trusty: DNE Patches_linux-lts-xenial: upstream_linux-lts-xenial: released (5.10~rc4) precise/esm_linux-lts-xenial: DNE trusty_linux-lts-xenial: ignored (out of standard support) trusty/esm_linux-lts-xenial: released (4.4.0-194.226~14.04.1) xenial_linux-lts-xenial: DNE bionic_linux-lts-xenial: DNE eoan_linux-lts-xenial: DNE focal_linux-lts-xenial: DNE groovy_linux-lts-xenial: DNE devel_linux-lts-xenial: DNE Patches_linux-kvm: upstream_linux-kvm: released (5.10~rc4) precise/esm_linux-kvm: DNE trusty_linux-kvm: DNE trusty/esm_linux-kvm: DNE xenial_linux-kvm: not-affected (# CONFIG_POWERCAP is not set) esm-infra/xenial_linux-kvm: not-affected (# CONFIG_POWERCAP is not set) bionic_linux-kvm: not-affected (# CONFIG_POWERCAP is not set) eoan_linux-kvm: ignored (reached end-of-life) focal_linux-kvm: not-affected (# CONFIG_POWERCAP is not set) groovy_linux-kvm: released (5.8.0-1009.10) devel_linux-kvm: not-affected (5.8.0-1010.11+21.04.1) Patches_linux-aws: upstream_linux-aws: released (5.10~rc4) precise/esm_linux-aws: DNE trusty_linux-aws: ignored (out of standard support) trusty/esm_linux-aws: ignored (was needs-triage ESM criteria) xenial_linux-aws: not-affected (# CONFIG_POWERCAP is not set) esm-infra/xenial_linux-aws: not-affected (# CONFIG_POWERCAP is not set) bionic_linux-aws: not-affected (# CONFIG_POWERCAP is not set) eoan_linux-aws: ignored (reached end-of-life) focal_linux-aws: not-affected (# CONFIG_POWERCAP is not set) groovy_linux-aws: released (5.8.0-1013.14) devel_linux-aws: not-affected (5.8.0-1017.18+21.04.2) Patches_linux-aws-5.0: upstream_linux-aws-5.0: released (5.10~rc4) precise/esm_linux-aws-5.0: DNE trusty_linux-aws-5.0: DNE trusty/esm_linux-aws-5.0: DNE xenial_linux-aws-5.0: DNE bionic_linux-aws-5.0: ignored (was needs-triage now end-of-life) eoan_linux-aws-5.0: DNE focal_linux-aws-5.0: DNE groovy_linux-aws-5.0: DNE devel_linux-aws-5.0: DNE Patches_linux-aws-5.3: upstream_linux-aws-5.3: released (5.10~rc4) precise/esm_linux-aws-5.3: DNE trusty_linux-aws-5.3: DNE trusty/esm_linux-aws-5.3: DNE xenial_linux-aws-5.3: DNE bionic_linux-aws-5.3: ignored (was needs-triage now end-of-life) eoan_linux-aws-5.3: DNE focal_linux-aws-5.3: DNE groovy_linux-aws-5.3: DNE devel_linux-aws-5.3: DNE Patches_linux-aws-hwe: upstream_linux-aws-hwe: released (5.10~rc4) precise/esm_linux-aws-hwe: DNE trusty_linux-aws-hwe: DNE trusty/esm_linux-aws-hwe: DNE xenial_linux-aws-hwe: not-affected (# CONFIG_POWERCAP is not set) esm-infra/xenial_linux-aws-hwe: not-affected (# CONFIG_POWERCAP is not set) bionic_linux-aws-hwe: DNE eoan_linux-aws-hwe: DNE focal_linux-aws-hwe: DNE groovy_linux-aws-hwe: DNE devel_linux-aws-hwe: DNE Patches_linux-azure: upstream_linux-azure: released (5.10~rc4) precise/esm_linux-azure: DNE trusty_linux-azure: ignored (out of standard support) trusty/esm_linux-azure: ignored (was needs-triage ESM criteria) xenial_linux-azure: not-affected (# CONFIG_POWERCAP is not set) esm-infra/xenial_linux-azure: not-affected (# CONFIG_POWERCAP is not set) bionic_linux-azure: ignored (was needs-triage now end-of-life) eoan_linux-azure: ignored (reached end-of-life) focal_linux-azure: not-affected (# CONFIG_POWERCAP is not set) groovy_linux-azure: released (5.8.0-1012.13) devel_linux-azure: not-affected (5.8.0-1016.17+21.04.1) Patches_linux-azure-4.15: upstream_linux-azure-4.15: released (5.10~rc4) precise/esm_linux-azure-4.15: DNE trusty_linux-azure-4.15: DNE trusty/esm_linux-azure-4.15: DNE xenial_linux-azure-4.15: DNE bionic_linux-azure-4.15: not-affected (# CONFIG_POWERCAP is not set) eoan_linux-azure-4.15: DNE focal_linux-azure-4.15: DNE groovy_linux-azure-4.15: DNE devel_linux-azure-4.15: DNE Patches_linux-azure-5.3: upstream_linux-azure-5.3: released (5.10~rc4) precise/esm_linux-azure-5.3: DNE trusty_linux-azure-5.3: DNE trusty/esm_linux-azure-5.3: DNE xenial_linux-azure-5.3: DNE bionic_linux-azure-5.3: ignored (was needs-triage now end-of-life) eoan_linux-azure-5.3: DNE focal_linux-azure-5.3: DNE groovy_linux-azure-5.3: DNE devel_linux-azure-5.3: DNE Patches_linux-azure-edge: upstream_linux-azure-edge: released (5.10~rc4) precise/esm_linux-azure-edge: DNE trusty_linux-azure-edge: DNE trusty/esm_linux-azure-edge: DNE xenial_linux-azure-edge: DNE bionic_linux-azure-edge: ignored (was needs-triage now end-of-life) eoan_linux-azure-edge: DNE focal_linux-azure-edge: DNE groovy_linux-azure-edge: DNE devel_linux-azure-edge: DNE Patches_linux-gcp: upstream_linux-gcp: released (5.10~rc4) precise/esm_linux-gcp: DNE trusty_linux-gcp: DNE trusty/esm_linux-gcp: DNE xenial_linux-gcp: released (4.15.0-1087.100~16.04.1) esm-infra/xenial_linux-gcp: released (4.15.0-1087.100~16.04.1) bionic_linux-gcp: ignored (was needs-triage now end-of-life) eoan_linux-gcp: ignored (reached end-of-life) focal_linux-gcp: released (5.4.0-1029.31) groovy_linux-gcp: released (5.8.0-1011.11) devel_linux-gcp: not-affected (5.8.0-1015.15+21.04.1) Patches_linux-gcp-4.15: upstream_linux-gcp-4.15: released (5.10~rc4) precise/esm_linux-gcp-4.15: DNE trusty_linux-gcp-4.15: DNE trusty/esm_linux-gcp-4.15: DNE xenial_linux-gcp-4.15: DNE bionic_linux-gcp-4.15: released (4.15.0-1087.100) eoan_linux-gcp-4.15: DNE focal_linux-gcp-4.15: DNE groovy_linux-gcp-4.15: DNE devel_linux-gcp-4.15: DNE Patches_linux-gcp-5.3: upstream_linux-gcp-5.3: released (5.10~rc4) precise/esm_linux-gcp-5.3: DNE trusty_linux-gcp-5.3: DNE trusty/esm_linux-gcp-5.3: DNE xenial_linux-gcp-5.3: DNE bionic_linux-gcp-5.3: ignored (was needs-triage now end-of-life) eoan_linux-gcp-5.3: DNE focal_linux-gcp-5.3: DNE groovy_linux-gcp-5.3: DNE devel_linux-gcp-5.3: DNE Patches_linux-gcp-edge: upstream_linux-gcp-edge: released (5.10~rc4) precise/esm_linux-gcp-edge: DNE trusty_linux-gcp-edge: DNE trusty/esm_linux-gcp-edge: DNE xenial_linux-gcp-edge: DNE bionic_linux-gcp-edge: ignored (was needs-triage now end-of-life) eoan_linux-gcp-edge: DNE focal_linux-gcp-edge: DNE groovy_linux-gcp-edge: DNE devel_linux-gcp-edge: DNE Patches_linux-gke-4.15: upstream_linux-gke-4.15: released (5.10~rc4) precise/esm_linux-gke-4.15: DNE trusty_linux-gke-4.15: DNE trusty/esm_linux-gke-4.15: DNE xenial_linux-gke-4.15: DNE bionic_linux-gke-4.15: released (4.15.0-1073.78) eoan_linux-gke-4.15: DNE focal_linux-gke-4.15: DNE groovy_linux-gke-4.15: DNE devel_linux-gke-4.15: DNE Patches_linux-gke-5.0: upstream_linux-gke-5.0: released (5.10~rc4) precise/esm_linux-gke-5.0: DNE trusty_linux-gke-5.0: DNE trusty/esm_linux-gke-5.0: DNE xenial_linux-gke-5.0: DNE bionic_linux-gke-5.0: released (5.0.0-1050.52) eoan_linux-gke-5.0: DNE focal_linux-gke-5.0: DNE groovy_linux-gke-5.0: DNE devel_linux-gke-5.0: DNE Patches_linux-gke-5.3: upstream_linux-gke-5.3: released (5.10~rc4) precise/esm_linux-gke-5.3: DNE trusty_linux-gke-5.3: DNE trusty/esm_linux-gke-5.3: DNE xenial_linux-gke-5.3: DNE bionic_linux-gke-5.3: released (5.3.0-1039.42) eoan_linux-gke-5.3: DNE focal_linux-gke-5.3: DNE groovy_linux-gke-5.3: DNE devel_linux-gke-5.3: DNE Patches_linux-oracle: upstream_linux-oracle: released (5.10~rc4) precise/esm_linux-oracle: DNE trusty_linux-oracle: DNE trusty/esm_linux-oracle: DNE xenial_linux-oracle: released (4.15.0-1058.64~16.04.1) esm-infra/xenial_linux-oracle: released (4.15.0-1058.64~16.04.1) bionic_linux-oracle: released (4.15.0-1058.64) eoan_linux-oracle: ignored (reached end-of-life) focal_linux-oracle: released (5.4.0-1029.31) groovy_linux-oracle: released (5.8.0-1010.10) devel_linux-oracle: not-affected (5.8.0-1014.14+21.04.1) Patches_linux-oracle-5.0: upstream_linux-oracle-5.0: released (5.10~rc4) precise/esm_linux-oracle-5.0: DNE trusty_linux-oracle-5.0: DNE trusty/esm_linux-oracle-5.0: DNE xenial_linux-oracle-5.0: DNE bionic_linux-oracle-5.0: ignored (was needs-triage now end-of-life) eoan_linux-oracle-5.0: DNE focal_linux-oracle-5.0: DNE groovy_linux-oracle-5.0: DNE devel_linux-oracle-5.0: DNE Patches_linux-oracle-5.3: upstream_linux-oracle-5.3: released (5.10~rc4) precise/esm_linux-oracle-5.3: DNE trusty_linux-oracle-5.3: DNE trusty/esm_linux-oracle-5.3: DNE xenial_linux-oracle-5.3: DNE bionic_linux-oracle-5.3: ignored (was needs-triage now end-of-life) eoan_linux-oracle-5.3: DNE focal_linux-oracle-5.3: DNE groovy_linux-oracle-5.3: DNE devel_linux-oracle-5.3: DNE Patches_linux-oem: upstream_linux-oem: released (5.10~rc4) precise/esm_linux-oem: DNE trusty_linux-oem: DNE trusty/esm_linux-oem: DNE xenial_linux-oem: ignored (was needs-triage now end-of-life) bionic_linux-oem: released (4.15.0-1101.112) eoan_linux-oem: ignored (reached end-of-life) focal_linux-oem: DNE groovy_linux-oem: DNE devel_linux-oem: DNE Patches_linux-oem-5.6: upstream_linux-oem-5.6: released (5.10~rc4) precise/esm_linux-oem-5.6: DNE trusty_linux-oem-5.6: DNE trusty/esm_linux-oem-5.6: DNE xenial_linux-oem-5.6: DNE bionic_linux-oem-5.6: DNE eoan_linux-oem-5.6: DNE focal_linux-oem-5.6: released (5.6.0-1033.35) groovy_linux-oem-5.6: DNE devel_linux-oem-5.6: DNE Patches_linux-oem-osp1: upstream_linux-oem-osp1: released (5.10~rc4) precise/esm_linux-oem-osp1: DNE trusty_linux-oem-osp1: DNE trusty/esm_linux-oem-osp1: DNE xenial_linux-oem-osp1: DNE bionic_linux-oem-osp1: released (5.0.0-1071.77) eoan_linux-oem-osp1: ignored (reached end-of-life) focal_linux-oem-osp1: DNE groovy_linux-oem-osp1: DNE devel_linux-oem-osp1: DNE Patches_linux-raspi: upstream_linux-raspi: released (5.10~rc4) precise/esm_linux-raspi: DNE trusty_linux-raspi: DNE trusty/esm_linux-raspi: DNE xenial_linux-raspi: DNE bionic_linux-raspi: DNE eoan_linux-raspi: DNE focal_linux-raspi: not-affected (# CONFIG_INTEL_RAPL is not set) groovy_linux-raspi: released (5.8.0-1007.10) devel_linux-raspi: not-affected (5.8.0-1008.11+21.04.1) Patches_linux-raspi2: upstream_linux-raspi2: released (5.10~rc4) precise/esm_linux-raspi2: DNE trusty_linux-raspi2: DNE trusty/esm_linux-raspi2: DNE xenial_linux-raspi2: not-affected (# CONFIG_INTEL_RAPL is not set) bionic_linux-raspi2: not-affected (# CONFIG_INTEL_RAPL is not set) eoan_linux-raspi2: ignored (reached end-of-life) focal_linux-raspi2: ignored (was needs-triage now end-of-life) groovy_linux-raspi2: DNE devel_linux-raspi2: DNE Patches_linux-raspi2-5.3: upstream_linux-raspi2-5.3: released (5.10~rc4) precise/esm_linux-raspi2-5.3: DNE trusty_linux-raspi2-5.3: DNE trusty/esm_linux-raspi2-5.3: DNE xenial_linux-raspi2-5.3: DNE bionic_linux-raspi2-5.3: not-affected (# CONFIG_INTEL_RAPL is not set) eoan_linux-raspi2-5.3: DNE focal_linux-raspi2-5.3: DNE groovy_linux-raspi2-5.3: DNE devel_linux-raspi2-5.3: DNE Patches_linux-riscv: upstream_linux-riscv: released (5.10~rc4) precise/esm_linux-riscv: DNE trusty_linux-riscv: DNE trusty/esm_linux-riscv: DNE xenial_linux-riscv: DNE bionic_linux-riscv: DNE eoan_linux-riscv: DNE focal_linux-riscv: not-affected (# CONFIG_INTEL_RAPL is not set) groovy_linux-riscv: released (5.8.0-8.9) devel_linux-riscv: not-affected (5.8.0-10.12+21.04.1) Patches_linux-snapdragon: upstream_linux-snapdragon: released (5.10~rc4) precise/esm_linux-snapdragon: DNE trusty_linux-snapdragon: DNE trusty/esm_linux-snapdragon: DNE xenial_linux-snapdragon: not-affected (# CONFIG_INTEL_RAPL is not set) bionic_linux-snapdragon: not-affected (# CONFIG_INTEL_RAPL is not set) eoan_linux-snapdragon: DNE focal_linux-snapdragon: DNE groovy_linux-snapdragon: DNE devel_linux-snapdragon: DNE Patches_linux-hwe-5.4: upstream_linux-hwe-5.4: released (5.10~rc4) precise/esm_linux-hwe-5.4: DNE trusty_linux-hwe-5.4: DNE trusty/esm_linux-hwe-5.4: DNE xenial_linux-hwe-5.4: DNE bionic_linux-hwe-5.4: released (5.4.0-53.59~18.04.1) focal_linux-hwe-5.4: DNE groovy_linux-hwe-5.4: DNE devel_linux-hwe-5.4: DNE Patches_linux-aws-5.4: upstream_linux-aws-5.4: released (5.10~rc4) precise/esm_linux-aws-5.4: DNE trusty_linux-aws-5.4: DNE trusty/esm_linux-aws-5.4: DNE xenial_linux-aws-5.4: DNE bionic_linux-aws-5.4: not-affected (# CONFIG_POWERCAP is not set) focal_linux-aws-5.4: DNE groovy_linux-aws-5.4: DNE devel_linux-aws-5.4: DNE Patches_linux-azure-5.4: upstream_linux-azure-5.4: released (5.10~rc4) precise/esm_linux-azure-5.4: DNE trusty_linux-azure-5.4: DNE trusty/esm_linux-azure-5.4: DNE xenial_linux-azure-5.4: DNE bionic_linux-azure-5.4: not-affected (# CONFIG_POWERCAP is not set) focal_linux-azure-5.4: DNE groovy_linux-azure-5.4: DNE devel_linux-azure-5.4: DNE Patches_linux-gcp-5.4: upstream_linux-gcp-5.4: released (5.10~rc4) precise/esm_linux-gcp-5.4: DNE trusty_linux-gcp-5.4: DNE trusty/esm_linux-gcp-5.4: DNE xenial_linux-gcp-5.4: DNE bionic_linux-gcp-5.4: released (5.4.0-1029.31~18.04.1) focal_linux-gcp-5.4: DNE groovy_linux-gcp-5.4: DNE devel_linux-gcp-5.4: DNE Patches_linux-oracle-5.4: upstream_linux-oracle-5.4: released (5.10~rc4) precise/esm_linux-oracle-5.4: DNE trusty_linux-oracle-5.4: DNE trusty/esm_linux-oracle-5.4: DNE xenial_linux-oracle-5.4: DNE bionic_linux-oracle-5.4: released (5.4.0-1029.31~18.04.1) focal_linux-oracle-5.4: DNE groovy_linux-oracle-5.4: DNE devel_linux-oracle-5.4: DNE Patches_linux-raspi-5.4: upstream_linux-raspi-5.4: released (5.10~rc4) precise/esm_linux-raspi-5.4: DNE trusty_linux-raspi-5.4: DNE trusty/esm_linux-raspi-5.4: DNE xenial_linux-raspi-5.4: DNE bionic_linux-raspi-5.4: not-affected (# CONFIG_INTEL_RAPL is not set) focal_linux-raspi-5.4: DNE groovy_linux-raspi-5.4: DNE devel_linux-raspi-5.4: DNE Patches_linux-hwe-5.8: upstream_linux-hwe-5.8: released (5.10~rc4) precise/esm_linux-hwe-5.8: DNE trusty_linux-hwe-5.8: DNE trusty/esm_linux-hwe-5.8: DNE xenial_linux-hwe-5.8: DNE bionic_linux-hwe-5.8: DNE focal_linux-hwe-5.8: pending (5.8.0-28.30~20.04.1) groovy_linux-hwe-5.8: DNE devel_linux-hwe-5.8: DNE Patches_linux-gke-5.4: upstream_linux-gke-5.4: released (5.10~rc4) precise/esm_linux-gke-5.4: DNE trusty_linux-gke-5.4: DNE trusty/esm_linux-gke-5.4: DNE xenial_linux-gke-5.4: DNE bionic_linux-gke-5.4: pending (5.4.0-1029.31~18.04.1) focal_linux-gke-5.4: DNE groovy_linux-gke-5.4: DNE devel_linux-gke-5.4: DNE Patches_linux-gkeop-5.4: upstream_linux-gkeop-5.4: released (5.10~rc4) precise/esm_linux-gkeop-5.4: DNE trusty_linux-gkeop-5.4: DNE trusty/esm_linux-gkeop-5.4: DNE xenial_linux-gkeop-5.4: DNE bionic_linux-gkeop-5.4: pending (5.4.0-1004.5) focal_linux-gkeop-5.4: DNE groovy_linux-gkeop-5.4: DNE devel_linux-gkeop-5.4: DNE