USN-3756-1: Intel Microcode vulnerabilities

27 August 2018

intel-microcode vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS

Summary

The system could be made to expose sensitive information.

Software Description

  • intel-microcode - Processor microcode for Intel CPUs

Details

It was discovered that memory present in the L1 data cache of an Intel CPU core may be exposed to a malicious process that is executing on the CPU core. This vulnerability is also known as L1 Terminal Fault (L1TF). A local attacker in a guest virtual machine could use this to expose sensitive information (memory from other guests or the host OS). (CVE-2018-3646)

Jann Horn and Ken Johnson discovered that microprocessors utilizing speculative execution of a memory read may allow unauthorized memory reads via a sidechannel attack. This flaw is known as Spectre Variant 4. A local attacker could use this to expose sensitive information, including kernel memory. (CVE-2018-3639)

Zdenek Sojka, Rudolf Marek, Alex Zuepke, and Innokentiy Sennovskiy discovered that microprocessors that perform speculative reads of system registers may allow unauthorized disclosure of system parameters via a sidechannel attack. This vulnerability is also known as Rogue System Register Read (RSRE). An attacker could use this to expose sensitive information. (CVE-2018-3640)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS
intel-microcode - 3.20180807a.0ubuntu0.18.04.1
Ubuntu 16.04 LTS
intel-microcode - 3.20180807a.0ubuntu0.16.04.1
Ubuntu 14.04 LTS
intel-microcode - 3.20180807a.0ubuntu0.14.04.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make all the necessary changes.

References