Lucene search

K
lenovoLenovoLENOVO:PS500247-NOSID
HistoryMay 14, 2019 - 4:38 p.m.

Microarchitectural Data Sampling (MDS) Side Channel Vulnerabilities - US

2019-05-1416:38:15
support.lenovo.com
472

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

4.7 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N

0.001 Low

EPSS

Percentile

23.9%

Lenovo Security Advisory: LEN-26696

Potential Impact: Information disclosure

Severity: Medium

Scope of Impact: Industry-wide

CVE Identifier:

CVE-2018-12126 - Microarchitectural Store Buffer Data Sampling (MSBDS)
CVE-2018-12127 - Microarchitectural Load Port Data Sampling (MLPDS)
CVE-2018-12130 - Microarchitectural Fill Buffer Data Sampling (MFBDS)
CVE-2019-11091 - Microarchitectural Data Sampling Uncacheable Memory (MDSUM)

Summary Description:

Intel has notified Lenovo of a new sub-class of speculative execution side channel vulnerabilities called Microarchitectural Data Sampling (MDS). These vulnerabilities are referred to by the researchers as ZombieLoad, RIDL, and Fallout. Intel provides technical details of MDS on Intel’s MDS page.

Mitigation Strategy for Customers (what you should do to protect yourself):

Intel states select 8th and 9th Generation Intel Core processors, as well as the 2nd Generation Intel Xeon Scalable Processor Family are not vulnerable to MDS. A full list of these processors can be found here. If you are using one of these processors, no further action is necessary.

For other Intel processors, Intel recommends the following mitigation steps:

  • Update to the version of BIOS (or later) described for your system in the Product Impact section below.
  • Update Operating System (OS). See the Reference section of Intel’s MDS page for full details.
  • Update Virtual Machine Managers (VMMs). See the Reference section of Intel’s MDS page for full details.

Once these updates are applied, Intel recommends it may be appropriate for some customers to consider additional actions.


Product Impact:

5.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

4.7 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:C/I:N/A:N

0.001 Low

EPSS

Percentile

23.9%