New
#1
Should we all rush to install this for Intel CPUs?
Released: Apr 9, 2024
Last updated: Apr 11, 2024
Assigning CNA: Intel Corporation
CVE-2022-0001
Impact: Information Disclosure Max Severity: Important
Weakness: CWE-1303: Non-Transparent Sharing of Microarchitectural Resources
CVSS Source: Intel Corporation
CVSS: 3.1 4.7 / 4.1
Executive Summary
This CVE was assigned by Intel. Please see CVE-2022-0001 on CVE.org for more information.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
Publicly disclosed Exploited Exploitability assessment No No Exploitation Less Likely
FAQ
Why is this Intel CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in certain processor models offered by Intel and was initially disclosed March 8, 2022. Intel published updates April 9, 2024 and this CVE is being documented in the Security Update Guide to inform customers of the available mitigation and its potential performance impact. The mitigation for this vulnerability is disabled by default and manual action is required for customers to be protected.
The following documentation was updated by Intel on April 9, 2024 and can be referenced for more information:
What steps are required to protect my system against the vulnerability?
We are providing the following registry information to enable the mitigations for this CVE.
Important: This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry see How to back up and restore the registry in Windows.
To enable the mitigation for CVE-2022-0001 on Windows devices and clients using Intel Processors:
Code:reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x00800000 /f Code:reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x00000003 /f
REG file for the above:
Add: Download
Undo: Download
Customers who wish to implement the mitigation within their systems can also refer to the following for more information.
- Windows Server and Azure Stack HCI customers: See Microsoft Knowledge Base Article 4072698
- Windows client guidance for IT Pros: See Microsoft Knowledge Base Article 4073119
- Windows Device customers: See Microsoft Knowledge Base Article 4073757
To enable the mitigation for CVE-2022-0001 on Linux devices and clients using Intel Processors:
- Specify spectre_bhi=on on the kernel command line. For more information about kernel command-line parameters see https://www.kernel.org/doc/html/late...arameters.html
Can I expect any performance impact after I configure the registry keys?
In some cases, installing these updates will have a performance impact. In testing Microsoft has seen some performance impact with this mitigation. Microsoft values the security of its software and services but made the decision to allow users and administrators to evaluate the performance impact and risk exposure before deciding to enable the mitigation.
https://msrc.microsoft.com/update-gu.../CVE-2022-0001
Hello Steve,
If your Intel CPU is listed as affected below, then it would be recommended to install the workaround.
Access Denied
"Microsoft values the security of its software and services but made the decision to allow users and administrators to evaluate the performance impact and risk exposure before deciding to enable the mitigation."
In other words, neither Microsoft nor Intel are prepared to take joint or single responsibility so... it's up to you, end-users, what you want to do about their failings to construct and implement a secure environment.
I guess we're just easier to blame when it goes wrong.