Microsoft issued guidance to help users protect their systems against denial of service (DoS) and information disclosure security flaws affecting Intel CPUs, disclosed during this week's Patch Tuesday.
The DoS vulnerability tracked as CVE-2018-12207 impacts client and server Intel Core processors up to and including 8th generation, while the speculative vulnerability flaw tracked as CVE-2019-11135 and found in the Intel Transactional Synchronization Extensions (TSX) capability affects Intel processors up to the 10th Generation.
Guidance for Zombieload 2 speculative execution side-channel attacks
By exploiting the ZombieLoad 2 flaw found in the TSX Asynchronous Abort (TAA) for some Intel processors (listed in the table below), authenticated local attackers or malware can steal sensitive information from the operating system kernel or processes active on the compromised device.
Intel provides additional technical details about TAA here and, in an advisory published yesterday, it recommends users of affected Intel processors to update their firmware to the latest version provided by their system's manufacturer to address this issue.
Product Collection | Product Names | Vertical Segment | CPUID |
10th Generation Intel® Core™ Processor Family | Intel® Core™ Processor i7-10510Y, i5-10310Y Intel® Core™ Processor i5-10210Y, i5-10110Y Intel® Core™ Processor i7-8500Y Intel® Core™ Processor i5-8310Y, i5-8210Y, i5-8200Y Intel® Core™ Processor m3-8100Y |
Mobile | 806EC |
2nd Generation Intel® Xeon® Scalable Processors | Intel® Xeon® Platinum Processor 8253, 8256, 8260, 8260L, 8260M, 8260Y, 8268, 8270, 8276, 8276L, 8276M, 8280, 8280L, 8280M, 9220, 9221, 9222, 9242, 9282 Intel® Xeon® Gold Processor 5215, 5215L, 5215M, 5215R, 5217, 5218, 5218B, 5218N, 5218T, 5220, 5220R, 5220S, 5220T, 5222, 6222V, 6226, 6230, 6230N, 6230T, 6234, 6238, 6238L, 6238M, 6238T, 6240, 6240L, 6240M, 6240Y, 6242, 6244, 6246, 6248, 6252, 6252N, 6254, 6262V Intel® Xeon® Silver Processor 4208, 4208R, 4209T, 4210, 4210R, 4214, 4214C, 4214R, 4214Y, 4215, 4216, 4216R Intel® Xeon® Bronze Processor 3204, 3206R |
Server | 50657 |
Intel® Xeon® W Processor Family | Intel® Xeon® Processor W-3275M, W-3275, W-3265M, W-3265, W-3245M, W-3245, W-3235, W-3225, W-3223, W-2295, W-2275, W-2265, W-2255, W-2245, W-2235, W-2225, W-2223 | Workstation | 50657 |
9th Generation Intel® Core™ Processor Family | Intel® Core™ Processor i9-9980HK, 9880H Intel® Core™ Processor i7-9850H, 9750HF Intel® Core™ Processor i5-9400H, 9300H |
Mobile | 906ED |
9th Generation Intel® Core™ Processor Family | Intel® Core™ Processor i9-9900K, i9-9900KF Intel® Core™ Processor i7-9700K, i7-9700KF Intel® Core™ Processor i5-9600K, i5-9600KF, i5-9400, i5-9400F |
Desktop | 906ED |
Intel® Xeon® Processor E Family | Intel® Xeon® Processor E-2288G, E-2286M, E-2278GEL, E-2278GE, E-2278G | Workstation/ Server / AMT Server | 906ED |
10th Generation Intel® Core™ Processor Family Intel® Pentium® Gold Processor Series Intel® Celeron® Processor 5000 Series |
Intel® Core™ Processor i7-10510U Intel® Core™ Processor i5-10210U Intel® Pentium® Gold Processor 6405U Intel® Celeron® Processor 5305U |
Mobile | 806EC |
8th Generation Intel® Core™ Processors | Intel® Core™ Processor i7-8565U, i7-8665U Intel® Core™ Processor i5-8365U, i5-8265U |
Mobile | 806EC |
Microsoft provides customers with guidance to disable the Intel TSX capability on systems featuring vulnerable Intel processors to block potential Zombieload 2 attacks.
By running the following command in a Command Prompt you can set a registry key to disable Intel TSX on your machine:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v DisableTsx /t REG_DWORD /d 1 /f
If you want to toggle the Intel TSX capability back on, you can do it by issuing this command:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel" /v DisableTsx /t REG_DWORD /d 0 /f
Guidance for the Intel Processor Machine Check Error DoS flaw
The CVE-2018-12207 flaw allows authenticated local attackers to trigger a denial of service state on host systems with several impacted Intel processors (listed in the table below) by taking advantage of improper invalidation for page table updates by guest virtual machines.
"To mitigate this vulnerability, operating system and hypervisor vendors will be providing software updates. Please contact your operating system vendor for additional details," Intel says.
The company also states that it has coordinated with both hypervisor and OS vendors to provide updates designed to mitigate this security flaw.
Affected Intel products | |
Client | Server |
Intel® Core™ i3 Processors | 2nd Generation Intel® Xeon® Scalable Processors |
Intel® Core™ i5 Processors | Intel® Xeon® Scalable Processors |
Intel® Core™ i7 Processors | Intel® Xeon® Processor E7 v4 Family |
Intel® Core™ m Processor Family | Intel® Xeon® Processor E7 v3 Family |
2nd generation Intel® Core™ Processors | Intel® Xeon® Processor E7 v2 Family |
3rd generation Intel® Core™ Processors | Intel® Xeon® Processor E7 Family |
4th generation Intel® Core™ Processors | Intel® Xeon® Processor E5 v4 Family |
5th generation Intel® Core™ Processors | Intel® Xeon® Processor E5 v3 Family |
6th generation Intel® Core™ Processors | Intel® Xeon® Processor E5 v2 Family |
7th generation Intel® Core™ Processors | Intel® Xeon® Processor E5 Family |
8th generation Intel® Core™ Processors | Intel® Xeon® Processor E3 v6 Family |
Intel® Core™ X-series Processor Family | Intel® Xeon® Processor E3 v5 Family |
Intel® Pentium® Gold Processor Series | Intel® Xeon® Processor E3 v4 Family |
Intel® Celeron® Processor G Series | Intel® Xeon® Processor E3 v3 Family |
Intel® Xeon® Processor E3 v2 Family | |
Intel® Xeon® Processor E3 Family | |
Intel® Xeon® E Processor | |
Intel® Xeon® D Processor | |
Intel® Xeon® W Processor | |
Legacy Intel® Xeon® Processor |
While this security issue disclosed yesterday by Intel in a technical advisory was already addressed by Microsoft as part of its November 2019 Patch Tuesday, the protection it adds is disabled by default.
To enable protection against DoS attacks that could exploit the CVE-2018-12207 flaw on a Hyper-V host system, you have to run the following command in an elevated Command Prompt on the host system to set the applicable registry key (the guest VM has to be restarted after the command completes):
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v IfuErrataMitigations /t REG_DWORD /d 1 /f
To disable protections around Intel Processor Machine Check Error flaw, you need to run the following command on the host system in an elevated Command Prompt to set the applicable registry key (the guest VM has to restarted when the command completes):
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v IfuErrataMitigations /t REG_DWORD /d 0 /f
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now