CVE-2019-19338
Kernel: KVM: export MSR_IA32_TSX_CTRL to guest - incomplete fix for TAA (CVE-2019-11135)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
Se encontró un fallo en la corrección para CVE-2019-11135, en Linux antes del kernel versiones anteriores a 5.5 donde, la manera en que las CPU Intel manejan una ejecución especulativa de instrucciones cuando se produce un error TSX Asynchronous Abort (TAA). Cuando un invitado es ejecutado en una CPU host afectada por el fallo de TAA (TAA_NO=0), pero no está afectado por el problema de MDS (MDS_NO=1), el invitado debía limpiar los búferes afectados al usar un mecanismo de instrucción VERW. Pero cuando se exportó el bit MDS_NO=1 a los invitados, los invitados no usaron el mecanismo VERW para borrar los búferes afectados. Este problema afecta a los invitados que son ejecutados en CPU Cascade Lake y requiere que el host tenga habilitado "TSX". La confidencialidad de los datos es la mayor amenaza asociada con esta vulnerabilidad
A flaw was found in the fix for CVE-2019-11135, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction
mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-11-27 CVE Reserved
- 2020-01-09 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-203: Observable Discrepancy
- CWE-385: Covert Timing Channel
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19338 | 2020-07-21 | |
| https://www.openwall.com/lists/oss-security/2019/12/10/3 | 2020-07-21 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2019-19338 | 2020-04-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1781514 | 2020-04-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | < 5.5 Search vendor "Linux" for product "Linux Kernel" and version " < 5.5" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Affected
| ||||||