Basic search

K
f5F5F5:K80159635
HistoryMay 15, 2019 - 12:00 a.m.

K80159635 : Microarchitectural Fill Buffer Data Sampling (MFBDS) CVE-2018-12130

2019-05-1500:00:00
my.f5.com
30

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

High

4.7 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N

0.001 Low

EPSS

Percentile

24.0%

Security Advisory Description

Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2018-12130)

Impact

MDS vulnerabilities are exploitable by malicious non-privileged user space applications running on hosts or guests, or malicious guest operating systems. These require an attacker who can provide and run binary code of their choosing on the BIG-IP platform. CPU hardware may allow this unprivileged code running on a CPU core to infer the value of memory data belonging to other processes, virtual machines, or the hypervisor recently running on the same CPU core. The MDS vulnerability does not allow the attacker to control the memory target address; impact is purely sample based.

Currently, BIG-IP does not check the integrity of user space applications. However, the attacker must have authorized access to the system in one of the privileged roles to attempt to exploit the vulnerabilities. These conditions severely restrict the exposure risk of BIG-IP products.

For single-tenancy products, such as a standalone BIG-IP system, or multi-tenancy environments (Cloud/VE/vCMP) the risk is limited to the local, untrusted application or untrusted guest accessing memory outside its own user space on a sample basis.

The following F5 hardware platforms are vulnerable to CVE-2018-12130:

Note: Only one entry displays for platform models that may have several variants. For example, BIG-IP i2600 and BIG-IP i2800 are both included as BIG-IP i2x00 series.

  • BIG-IP 10xx0 series
  • BIG-IP 12xx0 series
  • VIPRION B2250
  • VIPRION B44x0N
  • BIG-IP i2x00 series
  • BIG-IP i4x00 series
  • BIG-IP i5x00 series
  • BIG-IP i7x00 series
  • BIG-IP i10x00 series
  • BIG-IP i11x00 series
  • BIG-IP i15x00 series
  • Enterprise Manager 4000
  • BIG-IQ 7000

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

High

4.7 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N

0.001 Low

EPSS

Percentile

24.0%

Related for F5:K80159635