Published:
13 November 2019
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0322
INTEL-SA-00270 - TSX Asynchronous Abort Advisory
13 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Intel Core Processor
Intel Xeon Processor
Intel Xeon Scalable Processor
Intel Pentium Gold Processor
Intel Celeron Processor
Impact/Access: Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11135
Member content until: Friday, December 13 2019
Reference: ESB-2019.4247
ESB-2019.4246
OVERVIEW
Intel has discovered vulnerabilities in the following products:
o Intel Core Processor
o Intel Xeon Processor
o Intel Xeon Scalable Processor
o Intel Pentium Gold Processor
o Intel Celeron Processor [1]
IMPACT
Intel has provided the folllowing information regarding the
vulnerabilities:
"Intel ID: INTEL-SA-00270
Advisory Category: Hardware
Impact of vulnerability : Information Disclosure
Severity rating : Medium
Original release: 11/12/2019
Last revised: 11/12/2019" [1]
"CVEID: CVE-2019-11135
Description: TSX Asynchronous Abort condition on some CPUs utilizing
speculative execution may allow an authenticated user to potentially
enable information disclosure via a side channel with local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N" [1]
MITIGATION
Intel recommends:
"...that users of the affected Intel Processors listed above,
update to the latest firmware version provided by the system manufacturer that
addresses these issues."
"For additional microcode information, see here[2]."[1]
REFERENCES
[1] INTEL-SA-00270 - TSX Asynchronous Abort Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html
[2] Intel microcode update guidance
https://www.intel.com/content/dam/www/public/us/en/security-advisory/documents/IPU-2019.2-microcode-update-guidance-v1.0.pdf
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXcuJymaOgq3Tt24GAQh8JRAAprudr7k8zQIAZZgOpYI8NFfNtIrMzu2c
kMmgpPXYZDYDp3LX93ZnvJyH0lh/91mZHH5D3et7StiCel/tJzzTyb55znfFwAyG
Bibhk3QSASFkQWfB4kXJhpp1JsfRvOBcgymJMRCkOtgvoxa1OOXctcmQ7w8QX+xL
8YBrBZCUhMgB3WGaWqld+GmO5W8TTXB/WuqUkUyLe/QMNy8dJtYS8xK0ZR5EVRPO
keJpwb12d294HS7c+LJqHAXwCDLuJNTKnVRbB1yytw9Z0KKj/KIXy/OmZJkb4r1e
e2nTEhV/woVlNXQfEW+gqIpZPTfEMTi6FpK2lpr/A9OnP8c6nxTXcqaGwAlLrNph
hoijTj9q66sqQtl0el5E8NLjfiKNW5uwxcmNHwrY8zcfEsUN0ko7Z7x7DPcELswS
HWbAoJ9abPJNlgYetPHYufyW+RMUHAlN9zq3kW1xYT5Xhx2QiE2EZUUoVpXv6ctY
gKH1ew9aJauaJL+B2ORp+fYO24RUgWDoTSSIcpTuC1wznqWvyA0iWAmBrSJsZqeS
PT6RCRC4HFFuiskGQuJ7QDE0GjbttwRU0XScqZhtPbKIhQPjwvizmqg+KQb2VUZt
qgbYdukZmGHOIkMwpNcSVH0pEi6nFiFgWVdeWEN456JK8ndvmG1QlkVmrscEXtLQ
zf3pvq0uoLc=
=r5zp
-----END PGP SIGNATURE-----