Bug 1828580 (CVE-2020-8694)

Summary: CVE-2020-8694 kernel: Insufficient access control vulnerability in PowerCap Framework
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, bhu, blc, bmasney, dvlasenk, esyr, hdegoede, hkrzesin, itamar, jarodwilson, jeremy, jforbes, jlelli, jonathan, josef, jpoimboe, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mjg59, mlangsdo, nmurray, pmatouse, ppandit, ptalbert, qzhao, rt-maint, rvrbovsk, steved, walters, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of Intel's Running Average Power Limit (RAPL) implementation. A local attacker could infer secrets by measuring power usage and also infer private data by observing the power usage of calculations performed on the data.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1844297, 1844298, 1844299, 1844300, 1896525, 1957867, 1957868    
Bug Blocks: 1828581    

Description Pedro Sampaio 2020-04-27 20:34:41 UTC
A 'power analysis' side channel was found in the PowerCap framework.  A local authenticated attacker can potentially use the powercap measurements to infer usually private information by measuring the power used by operations on the hidden information.

Comment 12 RaTasha Tillery-Smith 2020-06-04 14:16:22 UTC
Mitigation:


A temporary measure would be to remove the ability for non-root users 
to read the current RAPL energy reporting metrics.

This can be done with the command:

$ sudo chmod 400 /sys/class/powercap/intel_rapl/*/energy_uj

This mitigation will only work on the current boot and will need to be reapplied at each system boot to remain in effect.

Comment 16 Petr Matousek 2020-06-05 12:15:53 UTC
Acknowledgments:

Name: Intel

Comment 20 Petr Matousek 2020-11-10 19:33:56 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1896525]