Arch Linux Security Advisory ASA-201911-14
==========================================

Severity: High
Date    : 2019-11-13
CVE-ID  : CVE-2019-0117 CVE-2019-11135 CVE-2019-11139
Package : intel-ucode
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-1068

Summary
=======

The package intel-ucode before version 20191112-1 is vulnerable to
multiple issues including information disclosure, private key recovery
and denial of service.

Resolution
==========

Upgrade to 20191112-1.

# pacman -Syu "intel-ucode>=20191112-1"

The problems have been fixed upstream in version 20191112.

Workaround
==========

None.

Description
===========

- CVE-2019-0117 (information disclosure)

A flaw was found in the implementation of SGX around the access control
of protected memory. A local attacker of a system with SGX enabled and
an affected intel GPU with the ability to execute code is able to infer
the contents of the SGX protected memory.

- CVE-2019-11135 (private key recovery)

A flaw was found in the way Intel CPUs handle speculative execution of
instructions when the TSX Asynchronous Abort (TAA) error occurs. A
local authenticated attacker with the ability to monitor execution
times could infer the TSX memory state by comparing abort execution
times. This could allow information disclosure via this observed side-
channel for any TSX transaction being executed while an attacker is
able to observe abort timing. Intel's Transactional Synchronisation
Extensions (TSX) are set of instructions which enable transactional
memory support to improve performance of the multi-threaded
applications, in the lock-protected critical sections. The CPU executes
instructions in the critical-sections as transactions, while ensuring
their atomic state. When such transaction execution is unsuccessful,
the processor cannot ensure atomic updates to the transaction memory,
so the processor rolls back or aborts such transaction execution. While
TSX Asynchronous Abort (TAA) is pending, CPU may continue to read data
from architectural buffers and pass it to the dependent speculative
operations. This may cause information leakage via speculative side-
channel means, which is quite similar to the Microarchitectural Data
Sampling (MDS) issue.

This mitigation is only effective using one the follow linux kernels:
v3.16.77, v4.4.202, v4.9.202, v4.14.154, v4.19.84 or v5.3.11.

- CVE-2019-11139 (denial of service)

It was discovered that certain Intel Xeon processors did not properly
restrict access to a voltage modulation interface. A local privileged
attacker could use this to cause a denial of service (system crash).

Impact
======

A local unprivileged attacker with access to an affected GPU can read
protected memory on an SGX enclave. Further, an attacker can infer the
contents of TPM keys using side-channel attacks. Finally, an attacker
can crash the system by accessing the voltage modulator interface on
certain Xeon processors.

References
==========

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00219.html
https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00271.html
https://security.archlinux.org/CVE-2019-0117
https://security.archlinux.org/CVE-2019-11135
https://security.archlinux.org/CVE-2019-11139