Lenovo Security Advisory: LEN-30044
Potential Impact: Information Disclosure
Severity: Medium
Scope of Impact: Industry-wide
CVE Identifier: CVE-2020-0548, CVE-2020-0549, CVE-2020-0550
Summary Description:
Intel reported potential security vulnerabilities in some Intel Processors that may allow information disclosure. These vulnerabilities may be referred to as Vector Register Sampling (CVE-2020-0548) and L1D Eviction Sampling or CacheOut (CVE-2020-0549). Refer to Intel’s Security Advisory for additional information.
CVE-2020-0548: Cleanup errors in some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2020-0549: Cleanup errors in some data cache evictions for some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2020-0550: Improper data forwarding in some data cache for some Intel Processors may allow an authenticated user to potentially enable information disclosure via local access.
Mitigation Strategy for Customers (what you should do to protect yourself):
Intel expects to release microcode updates for affected processors. Lenovo will publish fixes for affected systems once microcode updates are available from Intel. Until mitigations are available, the following guidance can be followed to reduce the likelihood of a successful attack from these vulnerabilities.
CVE-2020-0548: Intel recommends applying previous MDS mitigations described in LEN-26696 to reduce the impact of this vulnerability.
CVE-2020-0549: Intel recommends applying previous L1 Terminal Fault mitigations described in LEN-24163 to reduce the impact of this vulnerability in virtual environments.
CVE-2020-0550: Intel recommends applying previous L1 Terminal Fault mitigations described in LEN-24163 to reduce the impact of this vulnerability in virtual environments.