IPAS: INTEL-SA-00329

Update (2/19/2020): Microcode updates that address this issue have been provided to Original Equipment Manufacturers (OEMs). Please check with your system provider on the availability of these updates for your system. Click HERE for a list of OEM support sites.

Hello,

Today we released INTEL-SA-00329, Intel® Processors Data Leakage Advisory concerning two vulnerabilities that were publicly disclosed by researchers. As part of our commitment to transparency, the advisory has been released before our planned mitigations can be made available and we expect to release mitigations through our normal Intel Platform Update (IPU) process in the near future.

These issues are closely related to INTEL-SA-00233, released in November 2019, which addressed an issue called Transactional Synchronization Extensions (TSX) Asynchronous Abort, or TAA. At the time, we confirmed the possibility that some amount of data could still potentially be inferred through a side-channel and would be addressed in future microcode updates. The issues have been referred to by researchers as Zombieload, RIDL, and CacheOut.

Since May 2019, starting with Microarchitectural Data Sampling (MDS), and then in November with TAA, we and our system software partners have released mitigations that have cumulatively and substantially reduced the overall attack surface for these types of issues. We continue to conduct research in this area – internally, and in conjunction with the external research community.

More information about INTEL-SA-00329:

CVE-2020-0548 is an information disclosure vulnerability with a CVSS score of 2.8, low, referred to as Vector Register Sampling. This issue is rated “low” as the user would first need to be authenticated on the target system, the high complexity of an attack, and low confidence in the attacker’s ability to target and retrieve relevant data.

For more information on Vector Register Sampling, see the Intel whitepaper and affected products:
https://software.intel.com/security-software-guidance/software-guidance/vector-register-sampling
https://software.intel.com/security-software-guidance/insights/processors-affected-vector-register-sampling

CVE-2020-0549 is also an information disclosure vulnerability requiring authenticated local access. The CVSS score is 6.5, medium. Referred to as L1D Eviction Sampling, the severity score is higher on this one because the attack complexity is lower and the ability to target specific data higher. This vulnerability has little to no impact in virtual environments that have applied L1 Terminal Fault mitigations.

For more information on L1D Eviction Sampling, see the Intel whitepaper and affected products:
https://software.intel.com/security-software-guidance/software-guidance/l1d-eviction-sampling 
https://software.intel.com/security-software-guidance/insights/processors-affected-l1d-eviction-sampling

To date, we are not aware of any use of these issues outside of a controlled lab environment.

Jerry Bryant
Director of Communications
Intel Product Assurance and Security

Published on Categories Technologies for our Lives
Jerry Bryant

About Jerry Bryant

Jerry Bryant is a Senior Director of Security Communications at Intel Corp. where he leads communications strategy, vulnerability issues management, field, and customer readiness within the Intel Product Assurance and Security Group (IPAS). Jerry has over 20 years experience in product security incident response within fortune 50 companies and specializes in vulnerability handling, incident/crisis management, threat intelligence sharing, industry, and government engagement. He believes strongly in sharing lessons learned and helping to advance the knowledge and readiness of defenders across the industry. Jerry is a co-author of the Product Security Incident Response Team (PSIRT) Services Framework, a cross industry collaboration through the Forum for Incident Response and Security Teams (FIRST.org).