CVE-2019-19338

A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19338	Issue Tracking Patch Third Party Advisory
https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort	Third Party Advisory
https://www.openwall.com/lists/oss-security/2019/12/10/3	Mailing List Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-07-13 17:15

Updated : 2024-02-28 17:47

NVD link : CVE-2019-19338

Mitre link : CVE-2019-19338

CVE.ORG link : CVE-2019-19338

JSON object : View

Products Affected

linux

linux_kernel

redhat

enterprise_linux

CWE

CWE-203

Observable Discrepancy

CWE-385

Covert Timing Channel

{"id": "CVE-2019-19338", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2020-07-13T17:15:11.247", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19338", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://www.openwall.com/lists/oss-security/2019/12/10/3", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-203"}, {"lang": "en", "value": "CWE-385"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where, the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en la correcci\u00f3n para CVE-2019-11135, en Linux antes del kernel versiones anteriores a 5.5 donde, la manera en que las CPU Intel manejan una ejecuci\u00f3n especulativa de instrucciones cuando se produce un error TSX Asynchronous Abort (TAA). Cuando un invitado es ejecutado en una CPU host afectada por el fallo de TAA (TAA_NO=0), pero no est\u00e1 afectado por el problema de MDS (MDS_NO=1), el invitado deb\u00eda limpiar los b\u00faferes afectados al usar un mecanismo de instrucci\u00f3n VERW. Pero cuando se export\u00f3 el bit MDS_NO=1 a los invitados, los invitados no usaron el mecanismo VERW para borrar los b\u00faferes afectados. Este problema afecta a los invitados que son ejecutados en CPU Cascade Lake y requiere que el host tenga habilitado \"TSX\". La confidencialidad de los datos es la mayor amenaza asociada con esta vulnerabilidad"}], "lastModified": "2020-07-21T17:17:36.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5835B8E0-83CB-4B09-A21A-3CB59AF41F62", "versionEndExcluding": "5.5"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}