The latest security information on Intel® products.

Q2 2018 Speculative Execution Side Channel Update

Summary:

Security researchers identified two software analysis methods that, if used for malicious purposes, have the potential to improperly gather sensitive data from multiple types of computing devices with different vendors’ processors and operating systems.

Intel is committed to product and customer security and to coordinated disclosure. We worked closely with other technology companies and several operating system and system software vendors, developing an industry-wide approach to mitigate these issues promptly.

For facts about these new methods, technical resources, and steps you can take to help protect your systems and information please visit: https://www.intel.com/securityfirst.

Description:

CVE-2018-3639 – Speculative Store Bypass (SSB) – also known as Variant 4

• Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
• 4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as Variant 3a

• Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis.
• 4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Affected products:

Please check with your system vendor or equipment manufacturer for more information regarding updates for your system. For non-Intel based systems please contact your system manufacturer or microprocessor vendor.

A list of impacted products can be found here.

Recommendations:

Most leading browser providers have recently deployed mitigations in their Managed Runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a modern web browser. These techniques would likewise increase the difficulty of exploiting a side channel in a browser based on SSB.

Intel has released Beta microcode updates to operating system vendors, equipment manufacturers, and other ecosystem partners adding support for Speculative Store Bypass Disable (SSBD). SSBD provides additional protection by providing a means for system software to completely inhibit a Speculative Store Bypass from occurring if desired.  This is documented in whitepapers located at Intel’s Software Side-Channel Security site.    Most major operating system and hypervisors will add support for Speculative Store Bypass Disable (SSBD) starting as early as May 21, 2018.

The microcode updates will also address Rogue System Register Read (RSRR) – CVE-2018-3640 by ensuring that RDMSR instructions will not speculatively return data under certain conditions.  This is documented in whitepapers located at Intel’s Software Side-Channel Security site. No operating system or hypervisor changes are required to support the RDMSR change.

A listing of microcode updates that have been production qualified can be found here and will be updated as necessary. It is expected that remaining microcode updates, currently in beta, will be production qualified in the coming weeks. Intel recommends end users and systems administrators check with their OEM and system software vendors and apply any available updates as soon as practical.

Additional Advisory Guidance on CVE-2018-3639 available here.

Acknowledgements:

Intel would like to acknowledge and thank Jann Horn of Google Project Zero (GPZ) and Ken Johnson of the Microsoft Security Response Center (MSRC) for independently reporting CVE-2018-3639.

Intel would like to acknowledge and thank Zdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO AG (https://sysgo.com) for reporting CVE-2018-3640. Intel would also like to acknowledge and thank Innokentiy Sennovskiy from BiZone LLC (bi.zone).

Intel would like to thank Kekai Hu, Ke Sun, Henrique Kawakami and Rodrigo Branco for CVE-2018-3639 and CVE-2018-3640.

CVE Name: CVE-2018-3639, CVE-2018-3640