Processor MMIO Stale Data Vulnerabilities

ID 733965
Updated 6/14/2022
Version Latest
Public

author-image

By

 Disclosure date:
2022-06-14
Published date:
2022-06-14
Severity rating:
6.1 Medium
Industry-wide severity ratings can be found in the National Vulnerability Database

Related Content

Overview

Processor MMIO Stale Data Vulnerabilities are a class of memory-mapped I/O (MMIO) vulnerabilities that can expose data. When a processor core reads or writes MMIO, the transaction is normally done with uncacheable or write-combining memory types and is routed through the uncore, which is a section of logic in the CPU that is shared by physical processor cores and provides several common services. Malicious actors may use uncore buffers and mapped registers to leak information from different hardware threads within the same physical core or across cores.

Processor MMIO Stale Data Vulnerabilities are not transient execution attacks. However, these vulnerabilities may propagate stale data into core fill buffers where the data may subsequently be inferred by an unmitigated transient execution attack with transient execution attacks. These vulnerabilities involve operations that result in stale data being directly read into an architectural, software-visible state or sampled from a buffer or register. In some attack scenarios, stale data may already reside in a microarchitectural buffer. In other attack scenarios, malicious actors or confused deputy code may propagate data from microarchitecture locations such as fill buffers.

Four Processor MMIO Stale Data Vulnerabilities have been assigned the CVEs shown below. These vulnerabilities may be combined with data propagators to potentially enable malicious actors to read stale data:

Not all Intel processors are affected by each of these vulnerabilities. For instance, most processors for the server market are impacted only by DRPW.

Mitigation

The SRBDS Update mitigation affects the same processors that received the original SRBDS mitigation, as well as some newer processors that were not affected by SRBDS but are affected by certain Processor Stale Data MMIO vulnerabilities. 

For the remaining vulnerabilities, mitigations include a combination of microcode updates and software changes.

In some cases, the mitigation approach used may depend on the security/trust model and configuration of the system software (OS, VMM). 

For each vulnerability, there are two broad strategies that software can take: 

  • Preventing secret data from getting into buffers from which it can be extracted (blocking propagators). 
  • Preventing untrusted software from extracting data from vulnerable buffers (blocking vulnerabilities).

The first strategy generally involves using operations to overwrite secret data before it could be transferred to the affected buffer. On products not affected by the Microarchitectural Fill Buffer Data Sampling or Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort vulnerabilities, there may be some software usage models or configurations where the second strategy can be employed for all untrusted software. In these cases, it is acceptable for secret data to reside in affected buffers without overwriting the buffers because potential attackers are prevented from extracting any data. 

To simplify mitigation, we assume system software has already mitigated the MDS family of issues. Refer to the MDS documentation for more details on these mitigations. It is also assumed that the latest microcode updates will be installed on any affected systems.

Affected Processors

Refer to the 2022 tab of the consolidated Affected Processors tableDevice Register Partial Write (DRPW)Shared Buffers Data Read (SBDR), and Shared Buffers Data Sampling (SBDS) columns.

Note: The SRBDS Update mitigation affects the same processors that received the original SRBDS mitigation, as well as some newer processors that were not affected by SRBDS but are affected by certain Processor Stale Data MMIO vulnerabilities. 

 

Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources