SUSE addresses Transactional Asynchronous Abort and Machine Check Error on Page Size Changes issues
Today Intel and security researchers published a number of security issues covering various Intel hardware and software components.
Intel has published an overview of those issues in a blog article.
SUSE is providing updates to mitigate two new Intel CPU issues out of the above list.
Machine Check Error on Page Size Changes / CVE-2018-12207
A race condition during instruction decoding and extended pagetable management on Intel CPUs could lead to Machine Check Errors (crashes of a CPU), a denial of service attack.
This issue could be used by an attacker with full access to a guest VM to crash the host.
This race condition exists in all current Intel CPUs, except Intel Atom and Knights Landing. Please see the Intel whitepaper on the full list.
SUSE provides a software mitigation for this issue in updates to its Hypervisors, both for KVM in the Linux Kernel and for XEN.
The mitigation is enabled by default, please refer to our Technical Information Document for details on how to check its status and configuration.
Updated packages are linked from our CVE-2018-12207 page.
Transactional Asynchronous Abort (TAA) / CVE-2019-11135
Researchers from TU Graz, KU Leuven, CISPA Helmholtz Center, VUSec group at VU Amsterdam have identified an additional CPU based information leak attack, similar to the “Microarchitectural Data Sampling” (MDS) attack published in May 2019.
They showed that during an asynchronous abort of a Transactional Execution, various microarchitectural buffers might be speculatively accessed that could cause side effects similar to the MDS attack, leaking small amounts of recently or currently used data on the same CPU core.
Intel has provided Microcode updates, and SUSE provides fixed Kernel and XEN packages to help mitigate this problem.
Intels whitepaper is available here.
Depending on the environment, administrators also need to consider disabling Hyperthreading and/or disabling TSX support. Disabling TSX is only possible with the help of CPU Microcode updates on Cascade Lake and newer systems.
The options to control the mitigations are available and documented in our TID.
Updated packages are linked from our CVE-2019-11135 page.
SUSE has supplied online updates for the Linux Kernel, XEN, Intel CPU Microcode, and qemu to mitigate these issues.