Partial Information Disclosure Advisory

Summary:

A potential security vulnerability in some microprocessors with Intel® Data Direct I/O Technology (Intel® DDIO) and Remote Direct Memory Access (RDMA) may allow partial information disclosure via adjacent access.

Vulnerability Details:

CVEID: CVE-2019-11184

Description: A race condition in specific microprocessors using Intel ® DDIO cache allocation and RDMA may allow an authenticated user to potentially enable partial information disclosure via adjacent access.

CVSS Base Score: 2.6 Low

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Affected Products:

Intel® Xeon® E5, E7 and SP families that support DDIO and RDMA.

Recommendations:

Partial information potentially disclosed through exploitation of this vulnerability could be utilized to enhance unrelated attack methods. For published exploits that Intel is aware of, Intel recommends users follow existing best practices including:

Where DDIO & RDMA are enabled, limit direct access from untrusted networks.

The use of software modules resistant to timing attacks, using constant-time style code.

Security Best Practices For Side Channel Resistance:

<https://software.intel.com/security-software-guidance/insights/security-best-practices-side-channel-resistance&gt;

Guidelines For Mitigating Timing Side Channels Against Cryptographic Implementations:

<https://software.intel.com/security-software-guidance/insights/guidelines-mitigating-timing-side-channels-against-cryptographic-implementations&gt;

Acknowledgements:

Intel would like to thank Michael Kurth, Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, and Kaveh Razavi from VU Amsterdam for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.