== TSX Asynchronous Abort (TAA, CVE-2019-11135), Intel® Processor Machine Check Error (MCEPSC, CVE-2018-12207), and i915 graphics (CVE-2019-0155, CVE-2019-0154) vulnerabilities == === TSX Asynchronous Abort (TAA, CVE-2019-11135) vulnerability === ## Description. Should contain a high level description and optional low level description along with how the vulnerability can be exploited and the result of exploitation ## XXX need public URL references here XXX Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Giorgi Maisuradze, Moritz Lipp, Michael Schwarz, Daniel Gruss and Jo Van Bulck discovered that memory contents previously stored in microarchitectural buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core via a speculative execution side-channel, a similar vulnerability to [[ SecurityTeam/KnowledgeBase/MDS | Microarchitectural Data Sampling (MDS) ]]. The TSX Asynchronous Abort (TAA) vulnerability allows an attacker to access the same buffers (store buffer, fill buffer, load port writeback data bus) as MDS, but through Intel® Transactional Synchronization Extensions (Intel® TSX). As a result, unintended memory exposure can occur between userspace processes, between the kernel and userspace, between virtual machines, or between a virtual machine and the host environment. This issue only affects processors that support Intel® TSX. For processors that support Intel® TSX and were previously affected by MDS, the existing MDS buffer clearing mitigations also mitigate TAA, and no additional mitigations are needed. For processors that support Intel® TSX and were not affected by MDS, TAA is mitigated by disabling Intel® TSX. Deployments that require Intel® TSX can enable it with the ```tsx=on``` kernel command-line parameter and microarchitectural buffer clearing mitigations, such as those used to mitigate MDS, will be used to mitigate TAA. Mitigations for processors vulnerable to TAA are provided by a combination of processor microcode and Linux kernel updates. For more details, including affected processor families, please see the [[ https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort | Intel TAA Deep Dive ]]. For details on how to check the system status and configure the software mitigations, please see the [[ https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html | Linux Kernel TSX Asynchronous Abort Admin Guide ]]. === Intel® Processor Machine Check Error (MCEPSC, CVE-2018-12207) vulnerability === ## XXX need public URL references here XXX ## INTEL-SA-00210 Intel researchers discovered that a race condition existed in the Translation Lookaside Buffer (TLB) when converting 4K pages to 2MB or larger pages (called hugepages in Linux kernel parlance) that could generate a Machine Check Exception (MCE), resulting in a denial of service (system hang or shutdown). A malicious virtual machine could use this flaw to generate an MCE resulting in a denial of service of the host OS, including all other virtual machines. There is no known attack vector when virtualization is not in use. Mitigations for this issue are provided through updates to the Linux kernel. ## ## XXX Can add/cull the following explanation of the acronym, also may ## want to document IFetch/IFU here. This issue is also known as Machine Check Exception on Page Size Changes (MCEPSC). The Linux kernel refers to this issue as iTLB multihit. For more details, including affected processor families, please see the [[ https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change-0 | Intel MCEPSC Deep Dive ]] For details on how to check the system status and configure the software mitigations, please see the [[ https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html | Linux Kernel iTLB Multihit Admin Guide ]]. === Intel i915 graphics (CVE-2019-0155, CVE-2019-0154) vulnerabilities === ==== CVE-2019-0154 ==== Intel researchers discovered that Intel graphics processors could cause a system hang when userspace performed a read from GT memory mapped input output (MMIO) when the product is in certain low power states. A local user could use this to cause a denial of service (system hang). Mitigations for this issue are provided through updates to the firmware for the graphics processor and the kernel drivers. ==== CVE-2019-0155 ==== Intel researchers discovered that Intel graphics processors allowed userspace to modify page table entries via writes to MMIO from the Blitter Command Streamer and exposed kernel memory information, resulting in possible privilege escalation and information disclosure vulnerabilities. A local user could use this issue to escalate their privileges on the local machine. Mitigations for this issue are provided through updates to the kernel drivers. It was discovered late that the proposed fixes for this issue were incomplete in Ubuntu 64-bit x86 kernels. A [[ https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1852141 | followup update ]] was issued for affected kernels. ## XXX need public URL references here XXX == Mitigations == ## Versions section should include: ## - version fixed in upstream ## - version first introduced in upstream (if applicable) ## - version fixed in Ubuntu ## - reference to the USN === Updates === Ubuntu users are recommended to update to the latest kernel and intel-microcode updates. The majority of users should ensure that the following kernel packages are installed: || '''Ubuntu Release''' || '''Base Kernel''' || '''Enablement Kernel''' || || 19.10 || [[ https://launchpad.net/ubuntu/+source/linux/5.3.0-23.25 | linux-image-5.3.0-23-generic 5.3.0-23.25 ]] || N/A || || 19.04 || [[ https://launchpad.net/ubuntu/+source/linux/5.0.0-36.39 | linux-image-5.0.0-36-generic 5.0.0-36.39 ]] || N/A || || 18.04 LTS || [[ https://launchpad.net/ubuntu/+source/linux/4.15.0-70.79 | linux-image-4.15.0-70-generic 4.15.0-70.79 ]] || [[ https://launchpad.net/ubuntu/+source/linux-hwe/5.0.0-36.39~18.04.1 | linux-image-5.0.0-36-generic 5.0.0-36.39~18.04.1 ]] || || 16.04 LTS || [[ https://launchpad.net/ubuntu/+source/linux/4.4.0-169.198 | linux-image-4.4.0-169-generic 4.4.0-169.198 ]] || [[ https://launchpad.net/ubuntu/+source/linux-hwe/4.15.0-70.79~16.04.1 | linux-image-4.15.0-70-generic 4.15.0-70.79~16.04.1 ]] || || 14.04 ESM || linux-image-3.13.0-175-generic 3.13.0-175.226 || linux-image-4.4.0-168-generic 4.4.0-168.197~14.04.1 || || 12.04 ESM || linux-image-3.2.0-144-generic 3.2.0-144.191 || linux-image-3.13.0-175-generic 3.13.0-175.226~12.04.1 || For more details, refer to the following Ubuntu Security Notices: || '''Ubuntu Release''' || '''Base Kernel''' || '''Enablement Kernel''' || || 19.10 || [[ https://usn.ubuntu.com/4183-1/ | USN-4183-1 ]] || N/A || || 19.04 || [[ https://usn.ubuntu.com/4184-1/ | USN-4184-1 ]] || N/A || || 18.04 LTS || [[ https://usn.ubuntu.com/4185-1/ | USN-4185-1 ]] || [[ https://usn.ubuntu.com/4184-1/ | USN-4184-1 ]] || || 16.04 LTS || [[ https://usn.ubuntu.com/4186-1/ | USN-4186-1 ]] || [[ https://usn.ubuntu.com/4185-1/ | USN-4185-1 ]] || || 14.04 ESM || [[ https://usn.ubuntu.com/4187-1/ | USN-4187-1 ]] || [[ https://usn.ubuntu.com/4186-2/ | USN-4186-2 ]]|| || 12.04 ESM || [[ https://usn.ubuntu.com/4188-1/ | USN-4188-1 ]] || [[ https://usn.ubuntu.com/4188-1/ | USN-4188-1 ]] || Users of other Ubuntu kernels should consult the [[ https://usn.ubuntu.com/ | Ubuntu Security Notices ]] for specific version information. Due to the complexity of the changes involved in mitigating this hardware vulnerability, a livepatch will not be available via the [[ https://www.ubuntu.com/server/livepatch| Canonical Livepatch Service ]]. Ubuntu users with Intel processors should ensure that the following `intel-microcode` packages are installed: || '''Release''' || '''intel-microcode Version''' || || 19.10 || [[ https://launchpad.net/ubuntu/+source/intel-microcode/3.20191112-0ubuntu0.19.10.2 | intel-microcode 3.20191112-0ubuntu0.19.10.2 ]] || || 19.04 || [[ https://launchpad.net/ubuntu/+source/intel-microcode/3.20191112-0ubuntu0.19.04.2 | intel-microcode 3.20191112-0ubuntu0.19.04.2 ]] || || 18.04 LTS || [[ https://launchpad.net/ubuntu/+source/intel-microcode/3.20191112-0ubuntu0.18.04.2 | intel-microcode 3.20191112-0ubuntu0.18.04.2 ]] || || 16.04 LTS || [[ https://launchpad.net/ubuntu/+source/intel-microcode/3.20191112-0ubuntu0.16.04.2 | intel-microcode 3.20191112-0ubuntu0.16.04.2 ]] || || 14.04 ESM || intel-microcode 3.20191112-0ubuntu0.14.04.2 || || 12.04 ESM || Not available; please consult your hardware vendor's website for a BIOS update containing new microcode || For more details, users of the standard support Ubuntu releases (19.10, 19.04, 18.04 LTS, 16.04 LTS) should refer to [[ https://usn.ubuntu.com/USN-4182-1 | USN-4182-1 ]], while users of Ubuntu 14.04 ESM should refer to [[ https://usn.ubuntu.com/USN-4182-2 | USN-4182-2 ]]. ## === Public Cloud Image updates === * Amazon AWS: * Windows Azure: * Google Compute Engine: * Ubuntu Core Images: Cloud Images dailies will start appearing within 4 hours of the USN announcement. At the direction of the security team, the Cloud Image Team will start manually releasing new images to the public cloud. == Checking System Status == Updated Ubuntu kernels have the ability to report how the system is currently affected by TAA and MCEPSC. You must apply the latest kernel updates and reboot before the kernel can indicate the status of each issue. === TSX Asynchronous Abort (TAA, CVE-2019-11135) Status === To check your system, read the contents of the `/sys/devices/system/cpu/vulnerabilities/tsx_async_abort` file. Processors that aren't vulnerable to TAA will report the following: {{{ $ cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort Not affected }}} You may encounter a situation where you have an updated Ubuntu kernel but you don't have updated microcode. This could occur if you've not updated to the latest `intel-microcode` package or if Intel has not released new microcode for your processor. You'll see the following in this situation: {{{ $ cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort Vulnerable: Clear CPU buffers attempted, no microcode; SMT vulnerable }}} On systems that support disabling TSX, it will be specified as the mitigation for TAA: {{{ $ cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort Mitigation: TSX disabled }}} When TSX cannot be disabled or if TSX has been explicitly enabled by the system administrator, processors that have Hyper-Threading support will indicate that SMT is vulnerable: {{{ $ cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort Mitigation: Clear CPU buffers; SMT vulnerable }}} When TSX cannot be disabled or if TSX has been explicitly enabled by the system administrator and Intel Hyper-Threading is not support or has been disabled, the file will contain the following contents {{{ $ cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort Mitigation: Clear CPU buffers; SMT disabled }}} The kernel is unable to reliably determine whether Hyper-Threading is enabled when running in a virtual environment. Updated host kernel packages, updated host `qemu` packages with proper configuration to pass through the host CPU type to the guest, and updated guest kernel packages will show the following status inside of the virtual environment: {{{ $ cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort Mitigation: Clear CPU buffers; SMT Host state unknown }}} The examples above cover the most common situations. Please see the [[ https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html | Linux Kernel TAA Admin Guide ]] for additional, less common situations. === Intel® Processor Machine Check Error (MCEPSC, CVE-2018-12207) Status === To check your system, read the contents of the `/sys/devices/system/cpu/vulnerabilities/itlb_multihit` file. The lack of the `itlb_multihit` file indicates that the kernel is not updated and that the system is most likely vulnerable to MCEPSC. In general, all non-Atom processors that support Extended Page Tables (EPT) are vulnerable. The full list is documented in the [[ https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change-0 | Intel MCEPSC Deep Dive ]]. Processors that aren't vulnerable to MCEPSC will report the following: {{{ $ cat /sys/devices/system/cpu/vulnerabilities/itlb_multihit Not affected }}} The following example indicates that MCEPSC is mitigated: {{{ $ cat /sys/devices/system/cpu/vulnerabilities/itlb_multihit KVM: Mitigation: Split huge pages }}} The file will indicate that the system is vulnerable when the MCEPSC mitigation is disabled: {{{ $ cat /sys/devices/system/cpu/vulnerabilities/itlb_multihit KVM: Vulnerable }}} The examples above cover the most common situations. Please see the [[ https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html | Linux Kernel iTLB Multihit Admin Guide ]] for additional, less common situations. == References == For more information on these issues, please see the following reference documents: * [[ https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/ | Intel November 2019 Platform Update Overview ]] * [[ https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort | Intel TAA Deep Dive ]] * [[ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00210.html | Intel Security Advisory INTEL-SA-00210 ]] * [[ https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change-0 | Intel MCEPSC Deep Dive ]] * [[ https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html | Linux Kernel TSX Asynchronous Abort Admin Guide ]] * [[ https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html | Linux Kernel iTLB Multihit Admin Guide ]] ## Timeline. Should include at a minimum: ## - when Ubuntu was notified ## - when USN was issued == Timeline == * 2019-11-12: Issues became public {{{#!wiki comment ## XXX Uncomment as updates become available * YYYY MMM DD: * YYYY MMM DD: }}}