CVE-2018-12127 — Sensitive Information Exposure in Intel-microcode

CWE-200 — Sensitive Information Exposure CWE-385 — Covert Timing Channel53 documents15 sources

Severity

5.6MEDIUMNVD

EPSS

0.5%

top 34.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel XEN Qemu +9 more

Timeline

PublishedMay 30

Latest updateMay 24

Description

Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 1.1 | Impact: 4.0

Affected Packages12 packages

▶debiandebian/intel-microcode< intel-microcode 3.20190514.1 (bookworm)

▶CVEListV5intel_corporation/central_processing_unitsA list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf

▶Appleapple/macos_mojave_10.14.5_security_update_2019-003_high_sierra_security_update_2019-0

▶debiandebian/xen< intel-microcode 3.20190514.1 (bookworm)

▶debiandebian/linux< intel-microcode 3.20190514.1 (bookworm)

Also affects: Fedora 29

🔴Vulnerability Details

GHSA

GHSA-9x4m-r2fg-43cj: Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user↗2022-05-24

▶

OSV

intel-microcode update↗2019-06-20

▶

OSV

CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user↗2019-05-30

▶

OSV

intel-microcode update↗2019-05-22

▶

OSV

linux-hwe, linux-azure, linux-gcp, linux-oracle vulnerabilities↗2019-05-15

▶

📋Vendor Advisories

BSD

FreeBSD-SA-19:26.mcu: Intel CPU Microcode Update↗2019-11-12

▶

Ubuntu

Intel Microcode update↗2019-06-20

▶

Palo Alto

PAN-SA-2019-0012 Information about Recent Intel Side Channel Vulnerabilities↗2019-05-29

▶

Ubuntu

Intel Microcode update↗2019-05-22

▶

Ubuntu

libvirt update↗2019-05-16

▶

🕵️Threat Intelligence

Tenable

Objects in Mirror Are Closer Than They Appear: Reflecting on the Cybersecurity Threats from 2019↗2019-12-16

▶

Trendmicro

Patch Tuesday: Fixes for 'Wormable' Flaw, Zero-Day↗2019-05-15

▶

Trendmicro

Patch Tuesday: Fixes for 'Wormable' Flaw, Zero-Day↗2019-05-15

▶

Trendmicro

Patch Tuesday: Fixes for 'Wormable' Flaw, Zero-Day↗2019-05-15

▶

Trendmicro

Patch Tuesday: Fixes for 'Wormable' Flaw, Zero-Day↗2019-05-15

▶

💬Community

Bugzilla

CVE-2018-12127 libvirt: hardware: Micro-architectural Load Port Data Sampling - Information Leak (MLPDS) [fedora-all]↗2019-05-14

▶

Bugzilla

CVE-2018-12127 kernel: hardware: Micro-architectural Load Port Data Sampling - Information Leak (MLPDS) [fedora-all]↗2019-05-14

▶

Bugzilla

CVE-2018-12127 qemu: hardware: Micro-architectural Load Port Data Sampling - Information Leak (MLPDS) [fedora-all]↗2019-05-14

▶

Bugzilla

CVE-2018-12127 hardware: Micro-architectural Load Port Data Sampling - Information Leak (MLPDS)↗2019-01-21

▶

External resources

NVD MITRE

Affected products12

Apple Macos Mojave 10.14.5 Security Update 2019-003 High Sierra Security Update 2019-0

Debian Intel-microcodefixed in intel-microcode 3.20190514.1 (bookworm)

Debian Linuxfixed in intel-microcode 3.20190514.1 (bookworm)

Debian XENfixed in intel-microcode 3.20190514.1 (bookworm)

Fedoraproject Fedorav29

Intel Corporation Central Processing UnitsvA list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance_05132019.pdf

Linux Kernel≥ 0, < 4.19.37-2≥ 0, < 3.13.0-170.220≥ 0, < 4.4.0-148.174+1 more

Paloalto Pan-os

Paloalto Panorama

Qemu≥ 0, < 2.0.0+dfsg-2ubuntu1.46≥ 0, < 1:2.5+dfsg-5ubuntu10.38≥ 0, < 1:2.11+dfsg-1ubuntu7.13

Disclosure

PublishedMay 30, 2019

Latest updateMay 24, 2022