Intel ID: |
INTEL-SA-00329 |
Advisory Category: |
Hardware |
Impact of vulnerability: |
Information Disclosure |
Severity rating: |
MEDIUM |
Original release: |
01/27/2020 |
Last revised: |
01/27/2020 |
Summary:
Potential security vulnerabilities in some Intel® Processors may allow information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities.
Vulnerability Details:
CVEID:
CVE-2020-0548
Description: Cleanup errors in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVSS Base Score: 2.8 Low
CVSS Vector:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
CVEID:
CVE-2020-0549
Description: Cleanup errors in some data cache evictions for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected Products:
A list of impacted products can be found
here.
Recommendations:
Intel will release Intel® Processor microcode updates to our customers and partners as part of our regular Intel Platform Update (IPU) process.
Intel recommends that users of affected Intel® Processors check with their system manufacturers and system software vendors and update to the latest microcode update when available.
Additional technical details about these vulnerabilities can be found at:
L1D Eviction Sampling
Vector Register Sampling
Acknowledgements:
Intel would like to thank the following individuals for finding, reporting and coordinating these vulnerabilities to us.
Intel thanks TU Graz and KU Leuven for disclosure of
CVE-2020-0549.
Graz University of Technology: Moritz Lipp, Michael Schwarz, Daniel Gruss.
KU Leuven: Jo Van Bulck.
Intel thanks VU Amsterdam, for disclosure of
CVE-2020-0548 and
CVE-2020-0549. VUSec group at VU Amsterdam: Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida.
Researchers from TU Graz and Ku Leuven provided Intel with a Proof of Concept (POC) in May 2019 and researchers from VU Amsterdam provided Proof of Concept (POC) in October 2019. Intel subsequently confirmed each submission demonstrates
CVE-2020-0549 individually.
Revision History
Revision |
Date |
Description |
1.0 |
01/27/2020 |
Initial Release |