Bug 1753463 (CVE-2020-0551) - CVE-2020-0551 hw: Load Value Injection
Summary: CVE-2020-0551 hw: Load Value Injection
Alias: CVE-2020-0551
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1753462
TreeView+ depends on / blocked
Reported: 2019-09-19 02:36 UTC by Wade Mealing
Modified: 2023-05-12 14:48 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Intel's microprocessors. Intel microprocessors contain an implementation weakness that allows for an 'inverse MDS' style attack to be performed during store operations (writes to memory) and are stuffed maliciously into microarchitectural buffers from which unsuspecting victim code will later (speculatively) execute them. This allows an attacker to control and steer (speculative) execution, possibly allowing them to exploit gadgets in existing code to leak sensitive data. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Last Closed: 2020-03-10 22:31:42 UTC

Attachments (Terms of Use)

Description Wade Mealing 2019-09-19 02:36:25 UTC
Some Intel microprocessors contain a design weakness that allows for an "inverse MDS" style attack to be performed on writes to memory that allows microarchitectural attacks against load stores.  This flaw is very difficult to exploit requiring specific gadgets and timing and no microcode updates will be shipped to mitigate this issue.  

How it works:

A target/victim process will later execute these instructions and speculative use the cached values.  This allows an attacker to control and steer (speculative) execution, possibly allowing them to trigger the exploit via known gadgets in existing code to leak sensitive data. 

Due to the fine-grained control, an attacker potentially has (through e.g. return stack steering), they can cause code within a program to execute speculatively, creating new and novel potential leak gadgets.

This attack requires the ability for a local attacker to be able to execute code on the system, It is not known to be accessible across a network service at this time.

Comment 1 Wade Mealing 2019-11-15 03:56:52 UTC

Red Hat thanks Intel and industry partners for reporting this issue.

Comment 5 Wade Mealing 2020-02-12 04:15:15 UTC
Affected CPU releases:

- 6th Generation Intel® CoreTM Processor Family
- 7th Generation Intel® CoreTM Processor Family
- 8th Generation Intel® CoreTM Processor Family
- 9th Generation Intel® CoreTM Processor Family
- 10th Generation Intel® CoreTM Processor Family

- Intel® Xeon® Processor E3 v5 Family
- Intel® Xeon® Processor E3 v6 Family
- Intel® Xeon® Processor E-2100 Family
- Intel® Xeon® Processor E-2200 Family

Comment 8 Product Security DevOps Team 2020-03-10 22:31:42 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 12 Eric Christensen 2020-03-11 14:44:31 UTC

CVE-2020-0551 is the CVE assigned specifically to the hardware implementation leading to this flaw. Unlike the L1TF microarchitectural issue, no additional CVE have been assigned at this time to cover operating systems or vmm/hypervisor specific implementations.

As this CVE is a flaw in specific hardware, not the operating system kernel, and operating system mitigations are already applied, Red Hat does not list the Red Hat Enterprise Linux kernel package as “affected” by this CVE.

This does not imply that the flaw can not be exposed on systems running Red Hat Enterprise Linux on vulnerable hardware, only that the flaws exist in the hardware implementation and no additional changes are deemed necessary or practical to address this flaw at the software layer. 

Existing mitigations released in Red Hat Enterprise Linux in response to Spectre V1 (https://access.redhat.com/security/vulnerabilities/speculativeexecution), L1TF (https://access.redhat.com/security/vulnerabilities/L1TF) and MDS (https://access.redhat.com/security/vulnerabilities/mds) should already provide significant barrier against exploitation of this attack vector and no new mitigation is planned at this time.

Comment 15 Eric Christensen 2020-03-11 20:52:33 UTC

For hardware vulnerable to these attacks, there is no known mitigation other than to upgrade to hardware that is not vulnerable to this flaw.

Due to the high level of difficulty of the attack, and the performance impact which would be associated with any potential mitigations, there are currently no microcode or software mitigations for this issue other than previously existing Spectre V1 and SMAP mitigations described above.

Red Hat doesn't currently have knowledge of any real-world occurrences of this attack, so the risk of attack may be considered low. To further minimize the possibility of attacks related to this and other speculative issues, trusted and untrusted workloads can be isolated on separate systems.

For further details about potential mitigations, see Intel's LVI deep dive whitepaper (https://software.intel.com/security-software-guidance/insights/deep-dive-load-value-injection).

Note You need to log in before you can comment on or make changes to this bug.