Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2020-8694

Published: 10 November 2020

Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

From the Ubuntu Security Team

Moritz Lipp, Michael Schwarz, Andreas Kogler, David Oswald, Catherine Easdon, Claudio Canella, and Daniel Gruss discovered that the Intel Running Average Power Limit (RAPL) driver in the Linux kernel did not properly restrict access to power data. A local attacker could possibly use this to expose sensitive information.

Notes

AuthorNote
sbeattie
fix will be to adjust the access control bits on the RAPL
sysfs files.

Mitigation

Restrict permissions on the affected sysfs entries:
  $ sudo find /sys/devices/virtual/powercap/ -name energy_uj -exec chmod 400 {} \;

Priority

Medium

Cvss 3 Severity Score

5.6

Score breakdown

Status

Package Release Status
linux
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-123.126)
focal
Released (5.4.0-53.59)
groovy
Released (5.8.0-28.30)
trusty
Released (3.13.0-183.234)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
xenial
Released (4.4.0-194.226)
eoan Ignored
(end of life)
upstream
Released (5.10~rc4)
Patches:
Introduced by

2d281d8196e38dd3a4ee9af26621ddde8329f269

Fixed by 949dd0104c496fa7c14991a23c03c62e44637e71|local-CVE-2020-8694
linux-aws
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(# CONFIG_POWERCAP is not set)
focal Not vulnerable
(# CONFIG_POWERCAP is not set)
groovy
Released (5.8.0-1013.14)
trusty Ignored
(was needs-triage ESM criteria)
xenial Not vulnerable
(# CONFIG_POWERCAP is not set)
eoan Ignored
(end of life)
upstream
Released (5.10~rc4)
linux-aws-5.0
Launchpad, Ubuntu, Debian
bionic Ignored
(end of life, was needs-triage)
eoan Does not exist

focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-aws-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(end of life, was needs-triage)
trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

linux-aws-5.4
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(# CONFIG_POWERCAP is not set)
focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-aws-hwe
Launchpad, Ubuntu, Debian
eoan Does not exist

focal Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Not vulnerable
(# CONFIG_POWERCAP is not set)
bionic Does not exist

groovy Does not exist

linux-azure
Launchpad, Ubuntu, Debian
bionic Ignored
(end of life, was needs-triage)
focal Not vulnerable
(# CONFIG_POWERCAP is not set)
groovy
Released (5.8.0-1012.13)
trusty Ignored
(was needs-triage ESM criteria)
upstream
Released (5.10~rc4)
xenial Not vulnerable
(# CONFIG_POWERCAP is not set)
eoan Ignored
(end of life)
linux-azure-4.15
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(# CONFIG_POWERCAP is not set)
eoan Does not exist

focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-azure-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(end of life, was needs-triage)
eoan Does not exist

focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-azure-5.4
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(# CONFIG_POWERCAP is not set)
focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-azure-edge
Launchpad, Ubuntu, Debian
bionic Ignored
(end of life, was needs-triage)
eoan Does not exist

focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-gcp
Launchpad, Ubuntu, Debian
focal
Released (5.4.0-1029.31)
groovy
Released (5.8.0-1011.11)
upstream
Released (5.10~rc4)
xenial
Released (4.15.0-1087.100~16.04.1)
bionic Ignored
(end of life, was needs-triage)
eoan Ignored
(end of life)
trusty Does not exist

linux-gcp-4.15
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1087.100)
eoan Does not exist

focal Does not exist

groovy Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

trusty Does not exist

linux-gcp-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(end of life, was needs-triage)
groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

eoan Does not exist

focal Does not exist

linux-gcp-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1029.31~18.04.1)
focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-gcp-edge
Launchpad, Ubuntu, Debian
bionic Ignored
(end of life, was needs-triage)
eoan Does not exist

focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-gke-4.15
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1073.78)
eoan Does not exist

focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-gke-5.0
Launchpad, Ubuntu, Debian
bionic
Released (5.0.0-1050.52)
eoan Does not exist

focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-gke-5.3
Launchpad, Ubuntu, Debian
bionic
Released (5.3.0-1039.42)
focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

eoan Does not exist

linux-hwe
Launchpad, Ubuntu, Debian
bionic
Released (5.3.0-69.65)
eoan Does not exist

focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial
Released (4.15.0-123.126~16.04.1)
linux-hwe-5.4
Launchpad, Ubuntu, Debian
focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

bionic
Released (5.4.0-53.59~18.04.1)
linux-hwe-edge
Launchpad, Ubuntu, Debian
bionic Ignored
(end of life, was needs-triage)
focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Ignored
(end of life, was needs-triage)
eoan Does not exist

linux-kvm
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(# CONFIG_POWERCAP is not set)
eoan Ignored
(end of life)
focal Not vulnerable
(# CONFIG_POWERCAP is not set)
groovy
Released (5.8.0-1009.10)
upstream
Released (5.10~rc4)
xenial Not vulnerable
(# CONFIG_POWERCAP is not set)
trusty Does not exist

linux-lts-trusty
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Does not exist

focal Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

groovy Does not exist

linux-lts-xenial
Launchpad, Ubuntu, Debian
trusty
Released (4.4.0-194.226~14.04.1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
upstream
Released (5.10~rc4)
xenial Does not exist

bionic Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

linux-oem
Launchpad, Ubuntu, Debian
eoan Ignored
(end of life)
focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Ignored
(end of standard support, was needs-triage)
bionic
Released (4.15.0-1101.112)
linux-oem-5.6
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Does not exist

focal
Released (5.6.0-1033.35)
groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-oem-osp1
Launchpad, Ubuntu, Debian
bionic
Released (5.0.0-1071.77)
eoan Ignored
(end of life)
focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-oracle
Launchpad, Ubuntu, Debian
bionic
Released (4.15.0-1058.64)
eoan Ignored
(end of life)
focal
Released (5.4.0-1029.31)
groovy
Released (5.8.0-1010.10)
trusty Does not exist

upstream
Released (5.10~rc4)
xenial
Released (4.15.0-1058.64~16.04.1)
linux-oracle-5.0
Launchpad, Ubuntu, Debian
bionic Ignored
(end of life, was needs-triage)
eoan Does not exist

focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-oracle-5.3
Launchpad, Ubuntu, Debian
bionic Ignored
(end of life, was needs-triage)
eoan Does not exist

focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-oracle-5.4
Launchpad, Ubuntu, Debian
bionic
Released (5.4.0-1029.31~18.04.1)
focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-raspi
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Does not exist

focal Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
groovy
Released (5.8.0-1007.10)
trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-raspi-5.4
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

focal Does not exist

linux-raspi2
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
eoan Ignored
(end of life)
focal Ignored
(end of life, was needs-triage)
groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
linux-raspi2-5.3
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
eoan Does not exist

focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-riscv
Launchpad, Ubuntu, Debian
bionic Does not exist

eoan Does not exist

focal Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
groovy
Released (5.8.0-8.9)
trusty Does not exist

upstream
Released (5.10~rc4)
xenial Does not exist

linux-snapdragon
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
eoan Does not exist

focal Does not exist

groovy Does not exist

trusty Does not exist

upstream
Released (5.10~rc4)
xenial Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
linux-hwe-5.8
Launchpad, Ubuntu, Debian
bionic Does not exist

groovy Does not exist

trusty Does not exist

xenial Does not exist

focal Pending
(5.8.0-28.30~20.04.1)
upstream
Released (5.10~rc4)
linux-gke-5.4
Launchpad, Ubuntu, Debian
focal Does not exist

trusty Does not exist

xenial Does not exist

groovy Does not exist

bionic Pending
(5.4.0-1029.31~18.04.1)
upstream
Released (5.10~rc4)
linux-gkeop-5.4
Launchpad, Ubuntu, Debian
trusty Does not exist

xenial Does not exist

focal Does not exist

groovy Does not exist

bionic Pending
(5.4.0-1004.5)
upstream
Released (5.10~rc4)

Severity score breakdown

Parameter Value
Base score 5.6
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Scope Changed
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N