CVE-2020-0543
Published: 9 June 2020
Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
From the Ubuntu Security Team
It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. A local attacker could use this to expose sensitive information.
Notes
| Author | Note |
|---|---|
| tyhicks | This issue only affects Intel client and Xeon E3 processors |
| sbeattie | also known as "CrossTalk" |
| sbeattie | Affected processor families: ============= ============ ======== common name Family_Model Stepping ============= ============ ======== IvyBridge 06_3AH All Haswell 06_3CH All Haswell_L 06_45H All Haswell_G 06_46H All Broadwell_G 06_47H All Broadwell 06_3DH All Skylake_L 06_4EH All Skylake 06_5EH All Kabylake_L 06_8EH <= 0xC Kabylake 06_9EH <= 0xD ============= ============ ======== |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
intel-microcode Launchpad, Ubuntu, Debian |
bionic |
Released
(3.20200609.0ubuntu0.18.04.0)
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Released
(3.20200609.0ubuntu0.19.10.0)
|
|
| focal |
Released
(3.20200609.0ubuntu0.20.04.0)
|
|
| groovy |
Released
(3.20200609.0ubuntu0.20.04.0)
|
|
| jammy |
Not vulnerable
|
|
| kinetic |
Not vulnerable
|
|
| lunar |
Not vulnerable
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Released
(3.20200609.0ubuntu0.14.04.0)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needed
|
|
| xenial |
Released
(3.20200609.0ubuntu0.16.04.0)
|
|
|
xen Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Released
(4.11.3+24-g14b62ab3e5-1ubuntu2.3)
|
|
| jammy |
Not vulnerable
(4.14)
|
|
| kinetic |
Not vulnerable
(4.14)
|
|
| lunar |
Not vulnerable
(4.14)
|
|
| mantic |
Not vulnerable
(4.14)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.14)
|
|
| xenial |
Needs triage
|
|
| Binaries built from this source package are in Universe and so are supported by the community. | ||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.5 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References
- https://www.vusec.net/projects/crosstalk
- https://software.intel.com/security-software-guidance/software-guidance/special-register-buffer-data-sampling
- https://software.intel.com/security-software-guidance/insights/deep-dive-special-register-buffer-data-sampling
- https://software.intel.com/security-software-guidance/insights/processors-affected-special-register-buffer-data-sampling
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html
- https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
- https://ubuntu.com/security/notices/USN-4385-1
- https://ubuntu.com/security/notices/USN-4391-1
- https://ubuntu.com/security/notices/USN-4392-1
- https://ubuntu.com/security/notices/USN-4393-1
- https://ubuntu.com/security/notices/USN-4387-1
- https://ubuntu.com/security/notices/USN-4389-1
- https://ubuntu.com/security/notices/USN-4390-1
- https://ubuntu.com/security/notices/USN-4388-1
- https://ubuntu.com/security/notices/USN-5617-1
- https://www.cve.org/CVERecord?id=CVE-2020-0543
- NVD
- Launchpad
- Debian