Lucene search

K
lenovoLenovoLENOVO:PS500179-L1-TERMINAL-FAULT-SIDE-CHANNEL-VULNERABILITIES-NOSID
HistoryAug 16, 2018 - 2:27 p.m.

L1 Terminal Fault Side Channel Vulnerabilities - Lenovo Support NL

2018-08-1614:27:00
support.lenovo.com
35

EPSS

0.002

Percentile

64.5%

Lenovo Security Advisory: LEN-24163

Potential Impact: Malicious code running locally may be able to observe contents of privileged memory, circumventing expected privilege levels

Severity: High

Scope of Impact: Industry-wide

CVE Identifier: CVE-2018-3615, CVE-2018-3620, CVE-2018-3646

Summary Description:

Intel has made Lenovo aware of vulnerabilities collectively named “L1 Terminal Fault” affecting certain Intel processors. Lenovo has already released new BIOSes addressing these vulnerabilities under LEN-22133, because Intel included fixes for L1 Terminal Fault in a cumulative microcode update at that time. This advisory is to disclose the L1 Terminal Fault vulnerabilities and recommend additional actions you should take to protect yourself.

Mitigation Strategy for Customers (what you should do to protect yourself):

There are three vulnerability variants, each attacking a different sub-component of the processor architecture:

CVE-2018-3615 affects SGX enclaves

  • Update BIOS per LEN-22133
  • Update OS
  • See Intel’s advisory and references for additional guidance on TCB reset and SGX application attestation

CVE-2018-3620 affects OS and SMM (System Management Mode)

CVE-2018-3646 affects VMMs (Virtual Machine Managers)

  • Update BIOS per LEN-22133
  • Update host OS (if applicable)
  • Update VMM
  • Update guest OSes (where possible)
  • For customers using Windows Server 2016+ or VMware ESXi/vSphere/bare-metal hypervisor, enable VMM scheduler enhancements and keep hyperthreading enabled.
  • For all others, Intel suggests keeping hyperthreading enabled where you are confident all guest VMs that can end up sharing a processor core have OS mitigations applied. However, if unmitigated VMs are present, you should consider disabling hyperthreading to prevent VM-to-VM attacks. This is most likely in multi-tenant IaaS public and private cloud server environments where the VMM has not been updated to provide alternate means of isolation.