Intel are not having a good time lately are they? More vulnerabilities in their CPUs have been made public.
How many is that Intel have had recently that affect them? Quite a lot. This time, it appears AMD are not affected at least. Still, this is a lot of major security problems to go through with Spectre and Meltdown, Foreshadow and ZombieLoad. Currently, Intel are saying that they're "not aware of any use of these issues outside of a controlled lab environment" so you don't need to go and panic just yet. Just keep an eye on updates for your distribution and motherboard BIOS updates.
Here's they two they're now talking about:
CVE-2020-0548 is an information disclosure vulnerability with a CVSS score of 2.8, low, referred to as Vector Register Sampling. This issue is rated “low” as the user would first need to be authenticated on the target system, the high complexity of an attack, and low confidence in the attacker’s ability to target and retrieve relevant data.
CVE-2020-0549 is also an information disclosure vulnerability requiring authenticated local access. The CVSS score is 6.5, medium. Referred to as L1D Eviction Sampling, the severity score is higher on this one because the attack complexity is lower and the ability to target specific data higher. This vulnerability has little to no impact in virtual environments that have applied L1 Terminal Fault mitigations.
If you have an Intel CPU made before Q4 2018, you're likely affected. CVE-2020-0549, which is also being called CacheOut which has a dedicated website mentions that "Intel inadvertently managed to partially mitigate this issue while addressing a previous issue".
You can see Intel's official post on it here.
Article taken from GamingOnLinux.com.
Some you may have missed, popular articles from the last month:
The comments on this article are closed.
All posts need to follow our rules. For users logged in: please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Guest readers can email us for any issues.
RESET THE COUNTER
Last edited by NeoTheFox on 28 January 2020 at 12:47 pm UTC
Spoiler, click me
Last edited by NeoTheFox on 28 January 2020 at 12:47 pm UTC
9 Likes, Who?
After a little scare, I realized...
No Intel anymore for two weeks now. :)
(I guess all CPUs have their share, though.)
Last edited by Eike on 28 January 2020 at 12:44 pm UTC
No Intel anymore for two weeks now. :)
(I guess all CPUs have their share, though.)
Last edited by Eike on 28 January 2020 at 12:44 pm UTC
1 Likes, Who?
My next PC in several years from now will be AMD-based.
However this issue only affects Skylake-based CPUs, and I have Haswell on which TSX is disabled.
However this issue only affects Skylake-based CPUs, and I have Haswell on which TSX is disabled.
1 Likes, Who?
My next PC in several years from now will be AMD-based.
However this issue only affects Skylake-based CPUs, and I have Haswell on which TSX is disabled.
Intel will probably disable TSX on newer CPUs which apparently became a good tradition by now.
https://twitter.com/rygorous/status/1221918506012368896
Last edited by sub on 28 January 2020 at 12:50 pm UTC
1 Likes, Who?
Well, the feature list for my recent Coffee-Lake is also impressive already:
- cpu_meltdown
- spectre_v1
- spectre_v2
- spec_store_bypass
- l1tf
- mds
- swapgs
- taa
- itlb_multihit
11 Likes, Who?
Cloversheen Jan 28, 2020
Not amazing news for sure, but a big plus for the headline, it made me laugh more than it probably should have. 
Guess it is time to read up on it in order to advice friends and acquaintances who are overly susceptible to scare-mongering.
Guess it is time to read up on it in order to advice friends and acquaintances who are overly susceptible to scare-mongering.
0 Likes
Good thing I switched to a Ryzen 7 3700X last week :)
Still have a laptop with an Intel i5-3570 though.
Still have a laptop with an Intel i5-3570 though.
3 Likes, Who?
The vulnerabilities get a surprising amount of press compared to the risk they pose for the average person. I know just enough to realise that there is no reason to worry about these issues for any of my use cases and they I can even safely turn off all the mitigations. It does make me wonder how many people actually think that their computer might get hacked from these problems.
3 Likes, Who?
The vulnerabilities get a surprising amount of press compared to the risk they pose for the average person. I know just enough to realise that there is no reason to worry about these issues for any of my use cases and they I can even safely turn off all the mitigations. It does make me wonder how many people actually think that their computer might get hacked from these problems.
Yes, there are bigger risks with actual exploits in the wild, but to the best of my understanding, some of those "modern" problems (Spectre and following) do impose risks e.g. on browser processes as well. Still they are very interesting theoretically, but not so much in practice. In real world, the biggest security problem is sitting between keyboard and chair.
2 Likes, Who?
SirLootALot Jan 28, 2020
The vulnerabilities get a surprising amount of press compared to the risk they pose for the average person. I know just enough to realise that there is no reason to worry about these issues for any of my use cases and they I can even safely turn off all the mitigations. It does make me wonder how many people actually think that their computer might get hacked from these problems.
If a carmanufacturer had a malfunctioning car alarmsystem or doorlocking mechanism it would probably get similar coverage even though most people would still be able to park their cars on public roads.
Not sure if this is even that much coverage.
3 Likes, Who?
Comandante Ñoñardo Jan 28, 2020
Is my Haswell i7 4790K affected?
0 Likes
The vulnerabilities get a surprising amount of press compared to the risk they pose for the average person. I know just enough to realise that there is no reason to worry about these issues for any of my use cases and they I can even safely turn off all the mitigations. It does make me wonder how many people actually think that their computer might get hacked from these problems.
If a carmanufacturer had a malfunctioning car alarmsystem or doorlocking mechanism it would probably get similar coverage even though most people would still be able to park their cars on public roads.
Not sure if this is even that much coverage.
Well, the number of cars being stolen by exploiting the smart key system is actually quite substantial. And you if it wasn't for it being mentioned once or twice, I wouldn't have known about it. On the other hand, I have never heard of any hack or data leak with an in-the-wild exploit of these CPU vulnerabilities. As I understand it, it is just not a reasonable attack vector for anything other than hosts running multiple virtualised servers. And even then the chances of doing anything useful are not that great.
0 Likes
Is my Haswell i7 4790K affected?
Without microcode updates: Yes.
Otherwise: No.
https://www.anandtech.com/show/8376/intel-disables-tsx-instructions-erratum-found-in-haswell-haswelleep-broadwelly
1 Likes, Who?
Hopefully similar issues not yet discovered/publicised isn't the case for AMD's processors as well.
And being on Linux, I hope it's not just naive optimism that I hope we are less susceptible to designed-in security holes for NSA and suchlike organisations to exploit. That's more likely to be in central infrastructure though, and not necessarily in personal computers.
In any case, I hope Linux is more secure in these regards.
And being on Linux, I hope it's not just naive optimism that I hope we are less susceptible to designed-in security holes for NSA and suchlike organisations to exploit. That's more likely to be in central infrastructure though, and not necessarily in personal computers.
In any case, I hope Linux is more secure in these regards.
0 Likes
Like previous vulnerabilities, it's indeed a serious problem and I hate more Intel for that as they're worst than AMD.
The issue with these x86 processors, two big manufacturers, which the most of people used and are using.
This is not just a personal issue but a political and an economic one...
But yeah I don't read too much "real" cases about that in the news (sadly?).
Open source processors? Open Hardware? Ideally for that sort of thing a country should not use material from another... as we know at least since 2013 how it can affect societies as a whole (but yeah I speak in large, not only processors vulnerabilities).
My poor i5-2500K...
Last edited by Cyril on 28 January 2020 at 4:36 pm UTC
The issue with these x86 processors, two big manufacturers, which the most of people used and are using.
This is not just a personal issue but a political and an economic one...
But yeah I don't read too much "real" cases about that in the news (sadly?).
Open source processors? Open Hardware? Ideally for that sort of thing a country should not use material from another... as we know at least since 2013 how it can affect societies as a whole (but yeah I speak in large, not only processors vulnerabilities).
My poor i5-2500K...
Last edited by Cyril on 28 January 2020 at 4:36 pm UTC
1 Likes, Who?
SirLootALot Jan 28, 2020
The vulnerabilities get a surprising amount of press compared to the risk they pose for the average person. I know just enough to realise that there is no reason to worry about these issues for any of my use cases and they I can even safely turn off all the mitigations. It does make me wonder how many people actually think that their computer might get hacked from these problems.
If a carmanufacturer had a malfunctioning car alarmsystem or doorlocking mechanism it would probably get similar coverage even though most people would still be able to park their cars on public roads.
Not sure if this is even that much coverage.
Well, the number of cars being stolen by exploiting the smart key system is actually quite substantial. And you if it wasn't for it being mentioned once or twice, I wouldn't have known about it. On the other hand, I have never heard of any hack or data leak with an in-the-wild exploit of these CPU vulnerabilities. As I understand it, it is just not a reasonable attack vector for anything other than hosts running multiple virtualised servers. And even then the chances of doing anything useful are not that great.
Fair point. It is however not just an academic exercise but an actual threat to computer security. With WebGL enabled we are talking about a remote exploit. And if it were not for the mitigations we probably would already have seen it in use.
But I guess I agree the problem is blown a bit out of proportion.
edit: Hardware vulnerabilitys like Spectre are not limited to x86 but affect all Processors with speculative execution.
Last edited by SirLootALot on 28 January 2020 at 4:51 pm UTC
0 Likes
why would I enjoy that?
I can see next kernel release been slower cause of the fix of this
I can see next kernel release been slower cause of the fix of this
0 Likes
there is no reason for using Intel over AMD, in gaming I think that the top tier are even. So not sure why anyone would use intel provided pretty much everything else runs slower on their counterparts.
Not everybody changed their computer yesterday, and Intel was better for decades.
8 Likes, Who?
Running the latest spectre-meltdown-checker (which has not yet been updated for those new vulnerabilities) shows mitigations in place for all the 14 issues it currently tests for. That's for an i5-4460 on Ubuntu 18.04. So as bad as some of these are, at least they have been addressed. No need to worry.
2 Likes, Who?
Patreon
PayPal
See more from me