We’ve just heard of a new bunch of Intel CPU vulnerabilities and we want you to know the KernelCare team have swung into action to create patches for them.
Subscribe to our blog to get instant update.
The vulnerabilities are as follows.
1. CVE-2019–11135: TSX Asynchronous Abort (TAA)
This affects Intel chips with the Transactional Synchronization Extensions (TSX) feature.
It is similar to earlier MDS vulnerabilities, so if you’ve applied remediations for MDS, you will also be safe from this vulnerability.
However, if you’ve a newer Intel CPU with TSX enabled that’s not affected by MDS, you’ll need to update your CPU’s microcode and patch the kernel.
UPDATE FROM MONDAY, NOVEMBER 18TH
TSA (CVE-2019–11135) is taken care of by MDS mitigation on all kernels supported by KernelCare. KernelCare enforces MDS on all CPUs which are not in white-list. Currently there are no TSA-affected CPUs in this white-list, so no additional patches from KernelCare are required to mitigate TSA. We are recommending to those with TSA-affected CPUs to update to latest CPU microcode from their vendor.
2. CVE-2018–12207: Processor Machine Check Error (MCEPSC or iTLB multihit)
The Processor Machine Check Error vulnerability affects virtualized environments.
Exploitation of this vulnerability can result in the host system hanging when Extended Page Tables (EPT) are enabled.
UPDATE FROM MONDAY, DECEMBER 2
KernelCare Team has released Centos7, Centos7-Plus, RHEL7, OEL 7 patches for CVE-2018-12207 to the test feed. The KernelCare test feed makes it possible to start using new patches earlier.
To install patches from the test feed, run the command:
kcarectl --test --update
When production updates are available, KernelCare will use the regular feed automatically.
Subscribe to our blog to get the update about the patches in production.
3. CVE-2019–0155, CVE-2019–0154: i915 graphics hardware
CVE-2019–0155 can give an unprivileged user elevated system privileges.
CVE-2019–0154 can let an unprivileged user hang the system (effectively creating a DoS situation) by reading from specific memory locations (MMIO registers) when the graphic card’s power management goes to a particular minimal power usage state.
What we’re doing
As with all major vulnerabilities, as soon as the KernelCare monitoring team hear about it, developers and analysts begin the detailed process of investigating, assessing, developing and coding patches for our KernelCare Linux kernel live patching software.
We will start delivering first patches next Friday, November 29th. We'll report here we progress and will provide migration instructions and patch locations when ready. Subscribe to our blog to get instant update.
- Zombieload 2: KernelCare Team is on it!
- Zombieload 2: The Patches for CVE-2018-12207 are in the Test Feed!
- SWAPGS: KernelCare patches on the way
- RIDL – Another MDS Attack that Live Patching Would Have Saved You From
- QEMU-KVM vhost/vhost_net Guest to Host Kernel Escape Vulnerability
- New vulnerability found in Linux kernel, patched by KernelCare
- SACK Panic & Slowness: KernelCare Live Patches Are Here
- L1 Terminal Fault (L1TF) patches are available
- Intel DDIO 'NetCat' Vulnerability Report
- Fallout – the MDS Side Channel Attack That Isn't Zombieload