CVE-2019-11135 – Speculate the Unexpected

As some of you are no-doubt already aware, today a new speculative execution vulnerability was announced; speculate the unexpected

FYI there is a new speculative execution vulnerability announced.  Rated 6.5 (Medium) by Intel, CVE-2019-11135 vulnerability “Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort” describes how “malicious application software executed by an authenticated user may be able to infer the values of data accessed on the same physical core”

Impact Summary:

From Intel’s site:

‘Malicious application software executed by an authenticated user may be able to infer the values of data accessed on the same physical core by:

    • – Other Applications
      – Operating Systems
      – System Management Mode (SMM)
      – Intel®Software Guard Extensions (Intel®SGX) enclaves
      – Virtual Machine Manager (VMM) if present
      – Other guests running under the same VMM
      – Worth noting the section regarding implications on virtualized – environments.’

Impacts on Virtualised Infrastructure

Intel further warns:

‘To ensure that guests are properly mitigated, VMMs should load a microcode update that causes IA32_ARCH_CAPABILITIES[TSX_CTRL] (bit 7) to be set on processors that need additional mitigations for TAA.

To help prevent possibly malicious guest VMs from using Intel TSX when it is not enumerated to them, VMMs should set IA32_TSX_CTRL[RTM_DISABLE] (bit 0) to disable Intel TSX on processors affected by TAA that are running untrusted guest VMs.

VMMs should ensure they apply the mitigations described in the MDS disclosure to guest VMs for which Intel TSX is enabled (IA32_TSX_CTRL[RTM_DISABLE] (bit 0)=0). Specifically, the VMM should ensure that sensitive data is not in the affected buffers before entering possibly malicious Intel TSX-enabled guests (for example, by executing VERW). The VMM should also ensure that possible victim VMs are not running on the sibling logical processor as untrusted guests.’

CPUs at-risk

The good news is that not all platforms, and not all products are at risk – this is an Intel vulnerability that only affects CPUs that the Intel TSX feature.  Systems NOT affected include:

  1. CPUs that do not support Intel TSX are not affected
    • No Intel TSX support is indicated by CPUID.07h.EBX.RTM (bit 11) set to 0 and CPUID.07h.EBX.HLE (bit 4) set to 0
  2. CPUs that enumerate IA32_ARCH_CAPABILITIES[TAA_NO] (bit 8)=1 are not affected
  3. CPUs that support Intel TSX and do not enumerate IA32_ARCH_CAPABILITIES[MDS_NO] (bit 5)=1 do not need additional mitigations beyond what is already required to mitigate MDS.

Patching and Remediation

As anticipated, we are seeing a multitude of providers release the patches and patching instructions necessary to remediate this vulnerability.  From Hardware Vendors to Operating Vendors, the list of patch announcements is coming fast.

It is antic aped that like previously released speculative execution patches, the steps required to mitigate will change (or at least be streamlined/automated); especially as more details emerge and as we get real-world implementation experience.

Recommended Action

Arguably, this is “Business As Usual” (BAU).  The vulnerability is well defined by Intel, there are patches available across a wide range of vendors (I hesitate to say “all”). My own personal recommendation is:

  • Review the advisories for the hardware and operating system (including hypervisor) platforms that you use
  • Understand the details of the vulnerability
  • Ensure you know, and follow, the implementation steps
  • Where required by your vendor, ensure that you not only install the patch but also enable it
  • Deploy into a test environment first
  • Test, Test Test
  • Once you’ve tested, build and execute your promote to production plan
  • And… test some more 🙂

Original Post

This post was originally authored on this blog, you can also see the corresponding LinkedIn Article here – https://www.linkedin.com/pulse/cve-2019-11135-speculate-unexpected-andrew-barnes

Leave a Reply

Your email address will not be published. Required fields are marked *