HPSBHF03590 rev. 2 - L1 Terminal Fault (L1TF)

Potential Security Impact

Unauthorized exposure of privileged data from memory.

Source: HP, HP Product Security Response Team (PSRT), Intel

Reported By: Intel

VULNERABILITY SUMMARY

A new speculative execution side channel variant has been discovered called L1 Terminal Fault (L1TF). There are no reports that L1TF has been used in real world exploits. This currently affects select Intel processors. Mitigations will require microcode updates released earlier this year, plus operating system and hypervisor software updates. In some cases, Intel and Microsoft guidance suggests additional mitigations, see their bulletins for more information.

More information is available at the following links:

• Intel Security Advisory__ (in English)

• Microsoft Security Advisory__ (in English)

RESOLUTION

The mitigation requires 2 to 4 steps, depending on whether a hypervisor is being used.

1. Intel CPU microcode was patched with an update released earlier this year. The first version of BIOS with these updates are listed in this HP Security Bulletin: Derivative Side-Channel Analysis Method. Subsequent BIOS firmware versions also contain this patched Intel microcode. Ensure you have updated to the latest BIOS.

2. Follow the instructions from your operating system provider. For Microsoft Windows, this Security Advisory__ (in English) has more details. Microsoft has made patches available via Windows Update. Other operating system providers are also releasing updates. Refer to their websites for more information on patches and guidance.

3. If you are using a hypervisor (e.g. Hyper-V), refer to your hypervisor provider for possible updates.

4. In some cases, Intel and Microsoft guidance suggests additional mitigation for systems with hyper-threading, see their bulletins for more information. If a BIOS Administrator password has been installed, you will need to know that password.

For HP commercial platforms in a managed environment this can be performed using either the HP Manageability Integration Kit plug-in to Microsoft SCCM ( <https://ftp.hp.com/pub/caps-softpaq/cmit/HPMIK.html&gt;) or the HP BIOS Configuration Utility ( <https://ftp.hp.com/pub/caps-softpaq/cmit/HP_BCU.html&gt;).

Alternatively, this BIOS setting can be performed by restarting the PC and pressing F10 until the BIOS administration screen appears before the PC boots into the operating system. The exact location and option name changes across generations and types of commercial platforms:

2015 and later: Navigate to the Advanced tab at the top of the menu and select System Options. Then select Hyperthreading and click to remove the checkmark for this setting.

2014 Notebooks: Navigate to the Advanced tab at the top of the menu and select Device Configuration. Then select Intel HT Technology and click to remove the checkmark for this setting.

2014 Desktops: Navigate to the Advanced tab at the top of the menu and select Device Options. Then select Hyperthreading and press the space bar to disable this setting.

Refer to <https://www.intel.com/content/www/us/en/architecture-and-technology/hyper-threading/hyper-threading-technology.html&gt;[__](<https://www.intel.com/content/www/us/en/architecture-and-technology/hyper-threading/hyper-threading-technology.html&gt; “External site.” ) (in English) for more details on Intel hyper-threading technology.