LenovoLENOVO:PS500255-PARTIAL-PHYSICAL-ADDRESS-LEAKAGE-VULNERABILITY-NOSIDPartial Physical Address Leakage Vulnerability - Lenovo Support US
3.3 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0005 Low
EPSS
Percentile
14.7%
Lenovo Security Advisory: LEN-27842
Potential Impact: Information disclosure
Severity: Low
Scope of Impact: Industry-wide
CVE Identifier: CVE-2019-0174
Summary Description:
A potential security vulnerability in some microprocessors may allow partial information disclosure via local access. This vulnerability is referred to by the researchers as RAMBleed. RAMBleed is a new Rowhammer style attack to leak information from certain DRAM modules. Systems using DRAM modules mitigated against Rowhammer style attacks remain protected from RAMBleed.
Mitigation Strategy for Customers (what you should do to protect yourself):
Partial physical address information potentially disclosed through exploitation of this vulnerability does not contain user secrets, but could potentially be utilized to enhance unrelated attack methods. For published exploits that Intel is aware of, Intel recommends users follow existing best practices including:
- The use of DRAM modules resistant to Rowhammer style attacks.
- Security Best Practices For Side Channel Resistance: <https://software.intel.com/security-software-guidance/insights/security-best-practices-side-channel-resistance>
- Guidelines For Mitigating Timing Side Channels Against Cryptographic Implementations: <https://software.intel.com/security-software-guidance/insights/guidelines-mitigating-timing-side-channels-against-cryptographic-implementations>
References:
Intel Security Advisory: <https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00247.html>
Security Best Practices For Side Channel Resistance: <https://software.intel.com/security-software-guidance/insights/security-best-practices-side-channel-resistance>
Guidelines For Mitigating Timing Side Channels Against Cryptographic Implementations: <https://software.intel.com/security-software-guidance/insights/guidelines-mitigating-timing-side-channels-against-cryptographic-implementations>
Revision History:
| Revision | Date | Description |
|---|---|---|
| 3 | 2019-08-21 | Removed Product Impact section since Lenovo products are not affected by design. |
| 2 | 2019-06-14 | Corrected broken links |
| 1 | 2019-06-11 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Related
3.3 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0005 Low
EPSS
Percentile
14.7%