Updated microcode packages fix security vulnerabilities
Publication date: 19 Aug 2018Modification date: 19 Aug 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-3615 , CVE-2018-3620 , CVE-2018-3646
Description
This microcode update provides the Intel 20180807 microcode release that adds the processor microcode side of fixes and mitigations for the now publically known security issue affected Intel processors called L1 Terminal Fault (L1TF) for most Intel processors since Intel Core gen2: Systems with microprocessors utilizing speculative execution and Intel Software Guard Extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via side-channel analysis (CVE-2018-3615). Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and side-channel analysis (CVE-2018-3620). Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and side-channel analysis (CVE-2018-3646). The impact of the L1TF security issues: * Malicious applications may be able to infer the values of data in the operating system memory, or data from other applications. * A malicious guest virtual machine (VM) may be able to infer the values of data in the VMM’s memory, or values of data in the memory of other guest VMs. * Malicious software running outside of SMM may be able to infer values of data in SMM memory. * Malicious software running outside of an Intel® SGX enclave or within an enclave may be able to infer data from within another Intel SGX enclave. NOTE! You also need to install one of the 4.14.65 based kernel updates to get the current operating system side set of fixes and mitigations for L1TF. That means either kernel (mga#23458), kernel-tmb (mga#23459) or kernel-linus (mga#23460). For more detailed info about the microcode and a list of processors, see the referenced changelog.
References
- https://bugs.mageia.org/show_bug.cgi?id=23457
- https://bugs.mageia.org/show_bug.cgi?id=23458
- https://bugs.mageia.org/show_bug.cgi?id=23459
- https://bugs.mageia.org/show_bug.cgi?id=23460
- https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File
- https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3615
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3646
SRPMS
6/nonfree
- microcode-0.20180807-1.mga6.nonfree