Security Software

Special Register Buffer Data Sampling / CVE-2020-0543 / INTEL-SA-00232

2020-06-09
2020-06-09
6.5

Medium

Industry-wide severity ratings can be found in the National Vulnerability Database

Critical
Medium
High
Low

Aliases

  • Crosstalk

Overview

A new domain bypass transient execution attack known as special register buffer data sampling (SRBDS) may allow data values from special registers to be inferred by malicious code executing on any core of the CPU. This vulnerability affects some client and Intel® Xeon® E3 processors; it does not affect other Intel Xeon or Intel Atom® processors. SRBDS has been assigned CVE-2020-0543 with a base score of CVSS 6.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N.

Certain processor operations (such as RDRAND) microarchitecturally need to read data from outside the physical core (for example, from a random number generator shared between cores). This is often performed through an internal microarchitectural operation called a special register read.

On some processors, the data returned for a special register read is staged in a shared microarchitectural buffer and then transferred to the microarchitectural fill buffer within the physical core that performed the read. On affected processors, when the shared staging buffer is updated on a read, only the portion of the staging buffer needed for that read is updated. The other portions of the staging buffer are not modified. The unmodified portions of the staging buffer may contain stale data from previous special register reads, including those done by other cores. On processors affected by Microarchitectural Fill Buffer Data Sampling (MFBDS) or Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort (TAA), an adversary may be able to infer data in the fill buffer entries.

This means that on affected processors that are also affected by MFBDS or TAA, it may be possible for software to infer the value returned by special register reads on other logical processors (including other physical cores) by using MFBDS or TAA techniques. Only the value that was present in the staging buffer used by special register reads can be inferred cross-core.

According to Intel’s evaluation, the special register reads that may be used in methods that rely on their data being kept secret are:

  • RDRAND
  • RDSEED
  • SGX EGETKEY

Refer to the SRBDS Deep Dive for further details.

Mitigation

On affected processors, Intel will release microcode updates whose default behavior is to modify the RDRAND, RDSEED, and EGETKEY instructions to overwrite secret special register data in the shared staging buffer before the secret data can be accessed by any other logical processor on the same core or on a different core.

During execution of the RDRAND, RDSEED, or EGETKEY instructions, off-core accesses from other logical processors will be delayed until the special register read is complete and the secret data in the shared staging buffer is overwritten.

On systems that have loaded the microcode with the mitigation, the processors are fully mitigated by default.

Refer to the SRBDS Deep Dive and SRBDS mitigation impact on Intel® Secure Key for more information.



Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. Check with your system manufacturer or retailer or learn more at www.intel.com.

All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps.

Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors.

Performance tests, such as SYSmark and MobileMark, are measured using specific computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more complete information visit www.intel.com/benchmarks.

Performance results are based on testing as of dates shown in configurations and may not reflect all publicly available​ updates.

The products and services described may contain defects or errors known as errata which may cause deviations from published specifications. Current characterized errata are available on request.

Intel provides these materials as-is, with no express or implied warranties.

No product or component can be absolutely secure.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

*Other names and brands may be claimed as the property of others.

Copyright Intel Corporation 2020.