Lucene search

K
lenovoLenovoLENOVO:PS500151-NOSID
HistoryOct 24, 2018 - 12:22 p.m.

Reading Privileged Memory with a Side Channel - US

2018-10-2412:22:52
support.lenovo.com
1384

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

4.7 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N

0.976 High

EPSS

Percentile

100.0%

Lenovo Security Advisory: LEN-18282

**Potential Impact:**Malicious code running locally may be able to observe contents of privileged memory, circumventing expected privilege levels.

Severity: High

Scope of Impact: Industry-wide

CVE Identifier:

“Spectre” CVE-2017-5753, CVE-2017-5715
“Meltdown” CVE-2017-5754

Summary Description:

Lenovo is aware of vulnerabilities regarding certain processors nicknamed “Spectre” and “Meltdown” by their discoverers. Both are “side channel” exploits, meaning they do not access protected data directly, but rather induce the processor to operate in a specific way, and observe execution timing or other externally visible characteristics to infer the protected data.

We are working continuously with our processor, operating system, and component suppliers to incorporate fixes as we receive them. Lenovo will update this page frequently as fixes are released and new information emerges. Please check back often.

Mitigation Strategy for Customers (what you should do to protect yourself):

There are three related vulnerability variants. All require operating system updates to address. One requires processor microcode updates (see product impact section below).

Variant 1: Bounds check bypass (CVE-2017-5753)

  • Requires operating system updates
  • May require driver and/or application updates
  • Vulnerable to Spectre attack

Variant 2: Branch target injection (CVE-2017-5715)

  • Requires processor microcode updates
  • Requires operating system updates
  • May require driver and/or application updates
  • Vulnerable to Spectre attack

Variant 3: Rogue data cache load (CVE-2017-5754)

  • Requires operating system updates
  • Vulnerable to Meltdown attack

We recommend updating OS and firmware as soon as updates are available. For PCs, go to <https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe&gt; to get the latest OS patches.

Prior to patching and firmware update, you can limit your risk by following the usual security best practices to prevent an attacker from running code locally on your system. For example: Limit access to only known and trusted users; install only well-vetted, trusted applications; visit only reputable web sites with minimal obtrusive advertising and content pulled-in from other sources; and if feasible, turn off JavaScript in your browser.

Product Impact:

CPU Microcode Updates: Intel and AMD provide to Lenovo the CPU microcode updates required to address Variant 2, which Lenovo then incorporates into BIOS/UEFI firmware. We are building and testing BIOS/UEFI firmware packages as we receive new microcode from Intel and AMD. New firmware packages will be added to the product tables as they become ready.

Anti-Virus Blocking Microsoft Windows Updates: Microsoft has found some anti-virus products conflict with their OS patches (<https://support.microsoft.com/help/4072698&gt;). Microsoft blocks installation of those patches until the anti-virus product has been updated or removed. Please see <https://support.microsoft.com/en-us/help/4072699&gt; for information on how to unblock the installation.

NVIDIA GPU Device Drivers: Lenovo has become aware that NVIDIA GPU drivers and software (running on the host CPU, not the GPU) are vulnerable to CVE-2017-5753 and CVE-2017-5715 (Spectre). Please see Lenovo advisory LEN-16730 for more information and updates.

Web Browsers: Google, Microsoft, and Mozilla have reported it is possible to use aspects of these vulnerabilities within their web browser applications. Please see these references for more information and updates:

CLIENT SYSTEMS

The following guidance is specific to Lenovo Personal Computing (PCSD) offerings.

CPU Microcode Updates: Based on customer feedback, we are also integrating additional BIOS fixes such as Intel AMT MEBx bypass updates. All side channel related updates continue to be listed on this advisory.

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

4.7 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N

0.976 High

EPSS

Percentile

100.0%