ID

VAR-202006-0241

CVE

CVE-2020-0543

TITLE

plural  Intel(R)  Information leakage vulnerabilities in products

DESCRIPTION

Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. plural Intel(R) The product contains a vulnerability related to information leakage.Information may be obtained. Intel 06_3DH and Intel 06_9EH are both a central processing unit (CPU) product of Intel Corporation of the United States. Security vulnerabilities exist in several Intel products. The following products and versions are affected: Intel Celeron 1000M; Celeron 1005M; Celeron 1007U; Celeron 1019Y; Celeron 1020m, etc. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4699-1 security@debian.org https://www.debian.org/security/ Ben Hutchings June 09, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2019-3016 CVE-2019-19462 CVE-2020-0543 CVE-2020-10711 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114 CVE-2020-12464 CVE-2020-12768 CVE-2020-12770 CVE-2020-13143 Debian Bug : 960271 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-3016 It was discovered that the KVM implementation for x86 did not always perform TLB flushes when needed, if the paravirtualised TLB flush feature was enabled. This could lead to disclosure of sensitive information within a guest VM. CVE-2019-19462 The syzkaller tool found a missing error check in the 'relay' library used to implement various files under debugfs. A local user permitted to access debugfs could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2020-0543 Researchers at VU Amsterdam discovered that on some Intel CPUs supporting the RDRAND and RDSEED instructions, part of a random value generated by these instructions may be used in a later speculative execution on any core of the same physical CPU. Depending on how these instructions are used by applications, a local user or VM guest could use this to obtain sensitive information such as cryptographic keys from other users or VMs. This vulnerability can be mitigated by a microcode update, either as part of system firmware (BIOS) or through the intel-microcode package in Debian's non-free archive section. This kernel update only provides reporting of the vulnerability and the option to disable the mitigation if it is not needed. CVE-2020-10711 Matthew Sheets reported NULL pointer dereference issues in the SELinux subsystem while receiving CIPSO packet with null category. A remote attacker can take advantage of this flaw to cause a denial of service (crash). Note that this issue does not affect the binary packages distributed in Debian as CONFIG_NETLABEL is not enabled. CVE-2020-10732 An information leak of kernel private memory to userspace was found in the kernel's implementation of core dumping userspace processes. CVE-2020-10751 Dmitry Vyukov reported that the SELinux subsystem did not properly handle validating multiple messages, which could allow a privileged attacker to bypass SELinux netlink restrictions. CVE-2020-10757 Fan Yang reported a flaw in the way mremap handled DAX hugepages, allowing a local user to escalate their privileges. CVE-2020-12114 Piotr Krysiuk discovered a race condition between the umount and pivot_root operations in the filesystem core (vfs). A local user with the CAP_SYS_ADMIN capability in any user namespace could use this to cause a denial of service (crash). CVE-2020-12464 Kyungtae Kim reported a race condition in the USB core that can result in a use-after-free. It is not clear how this can be exploited, but it could result in a denial of service (crash or memory corruption) or privilege escalation. CVE-2020-12768 A bug was discovered in the KVM implementation for AMD processors, which could result in a memory leak. The security impact of this is unclear. CVE-2020-12770 It was discovered that the sg (SCSI generic) driver did not correctly release internal resources in a particular error case. A local user permitted to access an sg device could possibly use this to cause a denial of service (resource exhaustion). CVE-2020-13143 Kyungtae Kim reported a potential heap out-of-bounds write in the USB gadget subsystem. A local user permitted to write to the gadget configuration filesystem could use this to cause a denial of service (crash or memory corruption) or potentially for privilege escalation. For the stable distribution (buster), these problems have been fixed in version 4.19.118-2+deb10u1. This version also fixes some related bugs that do not have their own CVE IDs, and a regression in the <linux/swab.h> UAPI header introduced in the previous point release (bug #960271). We recommend that you upgrade your linux packages. For the detailed security status of linux please refer to its security tracker page at: https://security-tracker.debian.org/tracker/linux Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl7f5cVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q2Gg//b/hL9fW9Js1PYDU/VtS6r5Cca5xsCYlbAheAlMPMtm/Vym4NJOuEvyuI DvPXbf0Bi7gjQ0gEgM/urJTzqjzIccwrUQe1aFHt0N9exC53z1xPWZDJepGkSQOB 2AB5YaFTxkuGur/HXbKomdMWvSVphpBM+id9v2V1iWY2iA6cI1sCjgziUKcDMECD T7tCe4Hrjf6BY/W4xBiT0BEQNOO2i/rn7p9pNk+wi85BbC7g5ubKWGn9sSDd8KtA u2z5tsicaM7kXaPsaW11fSPxu7YOz09qLgBQnY8B2gdMEAp3YjN9ibyHppjme3GK 02ZZUHQ+Y4MyQQgCzWxaqXCu6Aa+4B5i2nTY907BVBslrfulKRbr1qS3D2CJojT/ qYVub7C5RCW5VnbJZxCDLgSmGRbyPW2pVpnBTvID8czTUhd+M5e6fW932TzUW07w 18ueto1fRlcAauIO3SQV7Ai9froFGjH4L8XbUipiv0qwotSjcPb4HoZpp0xgNcRU xjZW0MMhK/lyfe8gDx8wjpihbQVKtTtIaWbeoZPoMENE92yW8+7DbXjfXAylX3px IdVaeo7iF3MOYuez4qEAsyPF4ver8Xl9HKS05J9NUYUeRf2BF3M6xFWjpTm5xjoH bdIGBJ322sNjTAzkneriX5iO3szBDINPHII2V/AaqafhYZYWtoM= =c00Y -----END PGP SIGNATURE----- . Summary: An update for microcode_ctl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: The microcode_ctl packages provide microcode updates for Intel. Security Fix(es): * hw: Special Register Buffer Data Sampling (SRBDS) (CVE-2020-0543) * hw: Vector Register Data Sampling (CVE-2020-0548) * hw: L1D Cache Eviction Sampling (CVE-2020-0549) * hw: vt-d related privilege escalation (CVE-2020-24489) * hw: improper isolation of shared resources in some Intel Processors (CVE-2020-24511) * hw: observable timing discrepancy in some Intel Processors (CVE-2020-24512) * hw: Information disclosure issue in Intel SGX via RAPL interface (CVE-2020-8695) * hw: Vector Register Leakage-Active (CVE-2020-8696) * hw: Fast forward store predictor (CVE-2020-8698) 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1788786 - CVE-2020-0548 hw: Vector Register Data Sampling 1788788 - CVE-2020-0549 hw: L1D Cache Eviction Sampling 1827165 - CVE-2020-0543 hw: Special Register Buffer Data Sampling (SRBDS) 1828583 - CVE-2020-8695 hw: Information disclosure issue in Intel SGX via RAPL interface 1890355 - CVE-2020-8696 hw: Vector Register Leakage-Active 1890356 - CVE-2020-8698 hw: Fast forward store predictor 1897684 - [rhel-7.9.z] Re-enable 06-5e-03 (SKL-H/S, CPUID 0x506e3) latest microcode updates 1962650 - CVE-2020-24489 hw: vt-d related privilege escalation 1962702 - CVE-2020-24511 hw: improper isolation of shared resources in some Intel Processors 1962722 - CVE-2020-24512 hw: observable timing discrepancy in some Intel Processors 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: microcode_ctl-2.1-73.11.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.11.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.11.el7_9.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: microcode_ctl-2.1-73.11.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.11.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.11.el7_9.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: microcode_ctl-2.1-73.11.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.11.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.11.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: microcode_ctl-2.1-73.11.el7_9.src.rpm x86_64: microcode_ctl-2.1-73.11.el7_9.x86_64.rpm microcode_ctl-debuginfo-2.1-73.11.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-0543 https://access.redhat.com/security/cve/CVE-2020-0548 https://access.redhat.com/security/cve/CVE-2020-0549 https://access.redhat.com/security/cve/CVE-2020-8695 https://access.redhat.com/security/cve/CVE-2020-8696 https://access.redhat.com/security/cve/CVE-2020-8698 https://access.redhat.com/security/cve/CVE-2020-24489 https://access.redhat.com/security/cve/CVE-2020-24511 https://access.redhat.com/security/cve/CVE-2020-24512 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYRD++tzjgjWX9erEAQhA1A//eeO88DFGpTcHgCHrsXimUtK3MZX0RppT 5UOWuXgmPJniMPDALpkfTNTnNGASjBB+WDclaW2d/sZf52PzYLao5wGVIYdUx3Nl l9IvbGNMm0F7eI7aHdT2QnUhQQl1IpJrbmkhvBM2w85EmOfqlq+CpXnJMRXzoRdv sFPrWAo1opDNnBV6iYAnyULHFuWwcvU28n3JU945W8p/PvqJgSze77i4dmpzYkBj ljzVrIUl2pizBmnQMj03JJ+YeB8+oKb0uD2RdqHoxkUSFGH9OW6s/qytHu/eR4uL Y7WmIfHUxGsVRcmIjo/VaAvvWs4A3hdOL3nGdRAMQOKp+VoDcX7VDNURoxK/bkcJ OepHSyfWPCVXvOmU5l2ov1uzVQ/F+ajeevMehuzwQlTAIur5qE2eQ2Mwitfh/7WZ W3x67peCz51zVPtb7rkQfpzQzZKkjSAAclOYMzltv2PA5vSXZy8+hEqWZwqtesQn ltz36bjQMvRRhr1yGDbaFI5dcTB8T/eIkzmD6wPfbd7r7SEuE0GUd8Yf69VghGL2 f+mvR8oWb2x3RHXbpFm4aIt5mJHqIgfXDAohz7lXgLyJwQefyeJ5w+W8nOe+ZSK/ yvfiVQZz9tvPq8yqC87YWTA7zcnhoSmPvXRicJakpfJL/oz043Tc17jqxIra36sA UjXnNBNse8A=LIYI -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================= Ubuntu Security Notice USN-4390-1 June 10, 2020 linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 ESM Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services (AWS) systems - linux-azure-4.15: Linux kernel for Microsoft Azure Cloud systems - linux-gke-4.15: Linux kernel for Google Container Engine (GKE) systems - linux-kvm: Linux kernel for cloud environments - linux-oem: Linux kernel for OEM systems - linux-oracle: Linux kernel for Oracle Cloud systems - linux-aws-hwe: Linux kernel for Amazon Web Services (AWS-HWE) systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems - linux-hwe: Linux hardware enablement (HWE) kernel Details: It was discovered that the F2FS file system implementation in the Linux kernel did not properly perform bounds checking on xattrs in some situations. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2020-0067) It was discovered that memory contents previously stored in microarchitectural special registers after RDRAND, RDSEED, and SGX EGETKEY read operations on Intel client and Xeon E3 processors may be briefly exposed to processes on the same or different processor cores. (CVE-2020-12114) It was discovered that the USB susbsystem's scatter-gather implementation in the Linux kernel did not properly take data references in some situations, leading to a use-after-free. (CVE-2020-12464) Xiumei Mu discovered that the IPSec implementation in the Linux kernel did not properly encrypt IPv6 traffic in some situations. An attacker could use this to expose sensitive information. (CVE-2020-1749) Dmitry Vyukov discovered that the SELinux netlink security hook in the Linux kernel did not validate messages in some situations. (CVE-2020-10751) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS: linux-image-4.15.0-1045-oracle 4.15.0-1045.49 linux-image-4.15.0-106-generic 4.15.0-106.107 linux-image-4.15.0-106-generic-lpae 4.15.0-106.107 linux-image-4.15.0-106-lowlatency 4.15.0-106.107 linux-image-4.15.0-1063-gke 4.15.0-1063.66 linux-image-4.15.0-1067-kvm 4.15.0-1067.68 linux-image-4.15.0-1073-aws 4.15.0-1073.77 linux-image-4.15.0-1087-oem 4.15.0-1087.97 linux-image-4.15.0-1089-azure 4.15.0-1089.99 linux-image-aws-lts-18.04 4.15.0.1073.76 linux-image-azure-lts-18.04 4.15.0.1089.60 linux-image-generic 4.15.0.106.94 linux-image-generic-lpae 4.15.0.106.94 linux-image-gke 4.15.0.1063.65 linux-image-gke-4.15 4.15.0.1063.65 linux-image-kvm 4.15.0.1067.63 linux-image-lowlatency 4.15.0.106.94 linux-image-oem 4.15.0.1087.91 linux-image-oracle-lts-18.04 4.15.0.1045.54 linux-image-powerpc-e500mc 4.15.0.106.94 linux-image-powerpc-smp 4.15.0.106.94 linux-image-powerpc64-emb 4.15.0.106.94 linux-image-powerpc64-smp 4.15.0.106.94 linux-image-virtual 4.15.0.106.94 Ubuntu 16.04 LTS: linux-image-4.15.0-1045-oracle 4.15.0-1045.49~16.04.1 linux-image-4.15.0-106-generic 4.15.0-106.107~16.04.1 linux-image-4.15.0-106-generic-lpae 4.15.0-106.107~16.04.1 linux-image-4.15.0-106-lowlatency 4.15.0-106.107~16.04.1 linux-image-4.15.0-1073-aws 4.15.0-1073.77~16.04.1 linux-image-4.15.0-1077-gcp 4.15.0-1077.87~16.04.1 linux-image-4.15.0-1089-azure 4.15.0-1089.99~16.04.1 linux-image-aws-hwe 4.15.0.1073.73 linux-image-azure 4.15.0.1089.84 linux-image-azure-edge 4.15.0.1089.84 linux-image-gcp 4.15.0.1077.79 linux-image-generic-hwe-16.04 4.15.0.106.111 linux-image-generic-lpae-hwe-16.04 4.15.0.106.111 linux-image-gke 4.15.0.1077.79 linux-image-lowlatency-hwe-16.04 4.15.0.106.111 linux-image-oem 4.15.0.106.111 linux-image-oracle 4.15.0.1045.38 linux-image-virtual-hwe-16.04 4.15.0.106.111 Ubuntu 14.04 ESM: linux-image-4.15.0-1089-azure 4.15.0-1089.99~14.04.1 linux-image-azure 4.15.0.1089.66 Please note that the mitigation for CVE-2020-0543 requires a processor microcode update to be applied, either from your system manufacturer or via the intel-microcode package. After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. Unfortunately, that update prevented certain processors in the Intel Skylake family (06_4EH) from booting successfully. Additonally, on Ubuntu 20.04 LTS, late loading of microcode was enabled, which could lead to system instability. Please note that the 'dis_ucode_ldr' kernel command line option can be added in the boot menu to disable microcode loading for system recovery. We apologize for the inconvenience. (CVE-2020-0548) It was discovered that on some Intel processors, data from the most recently evicted modified L1 data cache (L1D) line may be propagated into an unused (invalid) L1D fill buffer

AFFECTED PRODUCTS