2020.2 IPU - Intel® RAPL Interface Advisory

Summary:

Potential security vulnerabilities in the Intel® Running Average Power Limit (RAPL) Interface may allow information disclosure.** **Intel is releasing microcode and Linux driver updates to mitigate these potential vulnerabilities.

Vulnerability Details:

CVEID: CVE-2020-8694

Description: Insufficient access control in the Linux kernel driver for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 5.6 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVEID: CVE-2020-8695

Description: Observable discrepancy in the RAPL interface for some Intel® Processors may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

Affected Products:

Product Collection

|

Vertical Segment

|

CPUID

—|—|—

8th Generation Intel® Core™ Processor Family

|

Mobile

|

806E9

10th Generation Intel® Core™ Processor Family

|

Mobile

|

806EC

8th Generation Intel® Core™ Processor Family

|

Mobile

|

906EA

9th Generation Intel® Core™ Processor Family

|

Mobile

|

906EC

8th Generation Intel® Core™ Processor Family

|

Desktop

|

906EA

9th Generation Intel® Core™ Processor Family

|

Desktop

|

906EC

Intel® Xeon® Processor E Family

|

Server Workstation AMT Server

|

906EA

8th Generation Intel® Core™ Processor Family

|

Mobile

|

806EA

8th Generation Intel® Core™ Processor Family Intel® Pentium® Gold Processor Series Intel® Celeron® Processor G Series

|

Desktop

|

906EB

Intel® Xeon® Processor E Family

|

Server Workstation AMT Server

|

906EA

8th Generation Intel® Core™ Processor Family

|

Desktop

|

906EA

9th Generation Intel® Core™ Processor Family

|

Desktop

|

906ED

9th Generation Intel® Core™ Processor Family

|

Desktop

|

906ED

10th Generation Intel® Core™ Processor Family

|

Mobile

|

A0660

10th Generation Intel® Core™ Processor Family

|

Mobile

|

A0661

10th Generation Intel® Core™ Processor Family

|

Mobile

|

806EC

10th Generation Intel® Core™ Processor Family

|

Desktop

|

A0653

10th Generation Intel® Core™ Processor Family

|

Mobile

|

A0655

10th Generation Intel® Core™ Processor Family

|

Mobile

|

A0652

Intel® Pentium® Processor Silver Series Intel® Celeron® Processor J Series Intel® Celeron® Processor N Series

|

Desktop Mobile Embedded

|

706A1

Intel® Pentium® Processor Silver Series Intel® Celeron® Processor J Series Intel® Celeron® Processor N Series

|

Desktop Mobile Embedded

|

706A8

10th Generation Intel® Core™ Processor Family

|

Mobile

|

706E5

8th Generation Intel® Core™ Processor Family

|

Mobile

|

906E9

7th Generation Intel® Core™ Processor Family

|

Mobile Embedded

|

906E9

8th Generation Intel® Core™ Processor Family

|

Mobile

|

806EA

7th Generation Intel® Core™ Processor Family

|

Desktop Embedded

|

906E9

7th Generation Intel® Core™ Processor Family

|

Mobile

|

806E9

7th Generation Intel® Core™

Processor Family

|

Mobile

|

806E9

Intel® Core™ X-series Processors

|

Desktop

|

906E9

Intel® Xeon® Processor E3 v6 Family

|

Server Workstation AMT Server

|

906E9

7th Generation Intel® Core™ Processor Family

|

Mobile

|

806E9

6th Generation Intel® Core™ Processor Family

|

Mobile

|

506E3

6th Generation Intel® Core™ Processor Family

|

Desktop Embedded

|

506E3

6th Generation Intel® Core™ Processors

|

Mobile

|

406E3

6th Generation Intel® Core™ Processor Family

|

Mobile

|

406E3

Intel® Xeon® Processor E3 v5 Family

|

Server Workstation AMT Server

|

506E3

6th Generation Intel® Core™ Processor Family

|

Mobile

|

406E3

8th Generation Intel® Core™ Processors

|

Mobile

|

806EB

8th Generation Intel® Core™ Processors

|

Mobile

|

806EC

Recommendations:

Intel recommends that users of affected Intel® Processors update to the latest firmware version provided by the system manufacturer that addresses this issue.

Intel recommends that users of affected Intel® Processors install the updates provided by their software vendors. In Linux, for the change to be effective it will require a reboot. If a reboot is not possible, Intel recommends changing the permissions of the affected sysfs attributes so that only privileged users can access them.

To address this issue, an SGX TCB recovery was performed in Q4 2020. Refer to Intel® SGX Attestation Technical Details for more information on the SGX TCB recovery process.

Additional Advisory Guidance on CVE-2020-8694, CVE-2020-8695 available here.

Acknowledgements:

CVE-2020-8694 and CVE-2020-8695 were found externally, Intel would like to thank:

Graz University of Technology: Moritz Lipp, Andreas Kogler, Daniel Gruss

CISPA Helmholtz Center for Information Security: Michael Schwarz

University of Birmingham: David Oswald.

CVE-2020-8695 was found internally by Intel employees. Intel would like to thank Chen Liu, Terry Wang, Neer Roggel, Ben Gras, Monodeep Kar, Bilgiday Yuce.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.