Please note: This website includes an accessibility system. Press Control-F11 to adjust the website to the visually impaired who are using a screen reader; Press Control-F10 to open an accessibility menu.

AMD and Intel Processor Advisory

AMD and Intel Processor Advisory

AMD and Intel Processor Advisory

Lenovo Security Advisory: LEN-79451

Potential Impact: Information disclosure

Severity: Medium

Scope of Impact: Industry-wide

CVE Identifier: CVE-2022-0001, CVE-2022-0002, CVE-2021-26401, CVE-2017-5715

Summary Description:

AMD and Intel have reported potential security vulnerabilities in some AMD and Intel Processors that may allow information disclosure against the Linux kernel. AMD and Intel are releasing prescriptive guidance to address these potential vulnerabilities.

Mitigation Strategy for Customers (what you should do to protect yourself):

AMD recommends using one of the other published mitigations (V2-1 aka ‘generic retpoline’ or V2-4 aka ‘IBRS’) for CVE-2017-5715. Currently in Linux, users can control which mitigation is used at boot time. Users can choose the generic retpoline at boot time by using the spectre_v2 Linux kernel command for turning on retpoline: spectre_v2=retpoline,generic.

Alternatively, users can update their version of the Linux kernel that incorporates a patch provided by AMD to the Linux community. The patch includes using generic retpoline, if retpoline is enabled and not explicitly set to the AMD Retpoline (spectre_v2=retpoline,amd).

AMD has provided updated guidance in “Software Techniques for Managing Speculation on AMD Processors” located here: https://www.amd.com/system/files/documents/software-techniques-for-managing-speculation.pdf

Intel recommends that affected Intel Processors disable access to managed runtimes in privileged modes to help prevent managed runtimes from being used as disclosure gadgets, such as unprivileged Extended Berkeley packet filter (eBPF) in kernel mode. Intel has worked with the Linux community to make this option available to all Linux users beginning in the Linux Kernel 5.16 stable version. This option is already available in some Linux distributions. Systems administrators and end users should check with their Linux vendor to determine the status of the operating system version they are using. Additional technical details from Intel can be found here.

References:

https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html

https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html

https://www.amd.com/system/files/documents/software-techniques-for-managing-speculation.pdf

Revision History:

Revision Date Description
1 2022-03-08 Initial release

Alias Id:LEN-79451
Document ID:PS500479
Original Publish Date:03/08/2022
Last Modified Date:03/08/2022