Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4358
Intel CPU Microcode Update
18 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: mcu
Publisher: FreeBSD
Operating System: FreeBSD
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Access Privileged Data -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11139 CVE-2019-11135 CVE-2018-12130
CVE-2018-12127 CVE-2018-12126 CVE-2018-11091
CVE-2017-5715
Reference: ASB-2019.0330
ASB-2019.0322
ASB-2019.0138
ASB-2018.0192
ASB-2018.0165
ASB-2018.0101
Original Bulletin:
https://security.freebsd.org/advisories/FreeBSD-SA-19:26.mcu.asc
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:26.mcu Security Advisory
The FreeBSD Project
Topic: Intel CPU Microcode Update
Category: 3rd party
Module: Intel CPU microcode
Announced: 2019-11-12
Credits: Intel
Affects: All supported versions of FreeBSD running on certain
Intel CPUs.
CVE Name: CVE-2019-11135, CVE-2019-11139, CVE-2018-12126,
CVE-2018-12127, CVE-2018-12130, CVE-2018-11091,
CVE-2017-5715
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
- - From time to time Intel releases new CPU microcode to address functional
issues and security vulnerabilities. Such a release is also known as a
Micro Code Update (MCU), and is a component of a broader Intel Platform
Update (IPU). FreeBSD distributes CPU microcode via the devcpu-data port
and package.
II. Problem Description
Starting with version 1.26, the devcpu-data port/package includes updates and
mitigations for the following technical and security advisories (depending
on CPU model).
Intel TSX Updates (TAA) CVE-2019-11135
Voltage Modulation Vulnerability CVE-2019-11139
MD_CLEAR Operations CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2018-11091
TA Indirect Sharing CVE-2017-5715
EGETKEY CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2018-11091
JCC SKX102 Erratum
Updated microcode includes mitigations for CPU issues, but may also cause a
performance regression due to the JCC erratum mitigation. Please visit
http://www.intel.com/benchmarks for further information.
Please visit http://www.intel.com/security for detailed information on
these advisories as well as a list of CPUs that are affected.
III. Impact
Operating a CPU without the latest microcode may result in erratic or
unpredictable behavior, including system crashes and lock ups. Certain
issues listed in this advisory may result in the leakage of privileged
system information to unprivileged users. Please refer to the security
advisories listed above for detailed information.
IV. Workaround
To determine if TSX is present in your system, run the following:
1. kldload cpuctl
2. cpucontrol -i 7 /dev/cpuctl0
If bits 4 (0x10) and 11 (0x800) are set in the second response word (EBX),
TSX is present.
In the absence of updated microcode, TAA can be mitigated by enabling the
MDS mitigation:
3. sysctl hw.mds_disable=1
Systems must be running FreeBSD 11.3, FreeBSD 12.1, or later for this to
work.
*IMPORTANT*
If your use case can tolerate leaving the CPU issues unmitigated and cannot
tolerate a performance regression, ensure that the devcpu-data package is
not installed or is locked at 1.25 or earlier.
# pkg delete devcpu-data
or
# pkg lock devcpu-data
Later versions of the LLVM and GCC compilers will include changes that
partially relieve the peformance impact.
V. Solution
Install the latest Intel Microcode Update via the devcpu-data port/package,
version 1.26 or later.
Updated microcode adds the ability to disable TSX. With updated microcode
the issue can still be mitigated by enabling the MDS mitigation as
described in the workaround section, or by disabling TSX instead:
1. kldload cpuctl
2. cpucontrol -i 7 /dev/cpuctl0
If bit 29 (0x20000000) is set in the fourth response word (EDX), then the
0x10a MSR is present.
3. cpucontrol -m 0x10a /dev/cpuctl0
If bit 8 (0x100) of the response word is set, your CPU is not vulnerable to
TAA and no further action is required.
If bit 7 (0x80) is cleared, then your CPU does not have updated microcode
that facilitates TSX to be disabled. The only remedy available is to
enable the MDS mitigation, as documented above.
4. cpucontrol -m 0x122=3 /dev/cpuctl0
Repeat step 4 for each numbered CPU that is present.
A future kernel change to FreeBSD will provide automatic detection and
mitigation for TAA.
LLVM 9.0 will be updated in FreeBSD 13-current to address the JCC
peformance impact. Updates to prior versions of LLVM are currently being
evaluated.
VI. Correction details
There are currently no changes in FreeBSD to address this issue.
VII. References
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11139>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12126>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12127>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11091>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715>
<URL:https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/>
<URL:https://software.intel.com/security-software-guidance/software-guidance/intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort>
<URL:https://www.intel.com/content/www/us/en/support/articles/000055650.html>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:26.mcu.asc>
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl3LArVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJGQQ//ad41YWDAdgBMTWiF56qeySqElIOHt/mLt06s2WW9ceUoJpKW8rKwA4hi
sjuDlj4vg8ohdiFaZhTxX/smQi3BS+M0xi40fFFgMRR7HuVh11l6bPr+DoUH/Zi+
E5aiAilOlv/WUAxIrdx0ZlHPkjZ9vfSIPbiqmIkdlFEl4QCuusMRqXKNxaIzzk/K
rzabCN4NsQPk0SYIZ9l+tZ6JxOOeRaYn+aCjzlbkiYR+wttIaH9nTECx2Rj7XvSw
9Ng/Mq0M6QsTV/jKfQDRMxRnNfnzF7865uBQYxZNFY9VP5Z21CcqMT54ia5NgcG8
8Bn2fnM3HcK5LUW3DRnsLhAi6XX0EuX5VMdYvx20aQUj/k8f6a0cPmtSqUVkpU/K
ZcmLd4X+YS/o3UZnRY9OZOEb+kmZE/Yr8f/hR8tmle6FCPS1YLtkwDn3qg/oQA03
B5rLmzc+x32XZC0dn/HRZTLc4TXQLij0kZpuxiDmbEJmdARDWsl+e0VdBuQdD3Hr
Q2QvhSVvQgwue8vclfIQVElSZpW93HuyyR8O8ugofwcOt7XwI7k+8ZfrjkjHMPGZ
QW/i0FQJx4Kup70bzOubb3VEQ7cwAJtE1dvY55oaulDexq3RVMW7oEsvd84X2K8O
G3+YOZLMrvM1kFskRt067rttbJfMXvstMSHCCfGSqA7fdth6VNQ=
=KAsu
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXdI2cGaOgq3Tt24GAQjCjhAAvq71Du+/kdDGAZmCCVDCVHPrcgm39ybZ
LhEVCL9qZpiXgU/9lZUqOQKuUff7jy00oSJpG0gcUznraz8pVuUEwDgW2xbBsNh/
Tbx4df3YnbpVoIx9+lGxbjSzPA8P85J0dJSktM9Mzma4MLtl7eDknUQFdDzFblS4
4Vknxt3yovm7GLYewPE/ODUsOuCX8X15x+DcTmzg2HwH6MuH57sR0runzspkCMQX
jm3lqgmT+xsYuJO6p+S6CZJ5WM0uOPhakNt3pplw1ilas5WX6erkUu3ufhXykrf5
Er+Ll0P9xXVTwN7uJaTiYDauR13CQjxpqs6ucdqzZjnNdXeCgbYajk979GDQYAf2
tF2iV4QyqWK6zfuDXf1sEXpvNXUHrRGFcmwc3/sKV1BHKAHgC6InbGtDH5P+gQbF
dEpD7nl8vgEgenNY8gMRU/gXqfmA3Us3B7Q/TeeqyhIt/q1MK6pgb/YBa/RIbPQC
HMK6x67AcsW7Fln0zL7uekcHFx/sUuOeqq0C3uxszHlSuESIWd115VmHR3T1tjbC
Jn2P7mko4iCPj1gsfy1lUy1MkUhRHWDJS+wRMbJ+LUFwfNAeLhMhzmLNnlErN8TD
Vi8U7ItIirUZQoP2tsd97WsDjPVwoAo9y4SeCwxthAxKbtx3GOPxnFAm3Z08t9aS
SqCotZ+To0c=
=jwsh
-----END PGP SIGNATURE-----