Industry-wide severity ratings can be found in the National Vulnerability Database
A speculative execution side channel variant known as Vector Register Sampling may allow the partial data values of some vector operations to be inferred under a specific set of complex conditions that include vector operations executing after a period of vector inactivity. Vector register sampling has been assigned CVE-2020-0548 with CVSS 2.8 CVSS 3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N.
On some processors, under certain microarchitectural conditions involving a vector operation executing after a period of time where no vector operations executed, partial data values previously read from a vector register on a physical core may be propagated into unused portions of the store buffer. On processors affected by Microarchitectural Data Samping (MDS) or Transactional Asynchronous Abort (TAA), data from a store buffer entry may be inferred using one of these data sampling side channel methods. Using the MDS or TAA methods, it may be possible for malicious actors to infer data values from previously read vector registers. The vector register sampling method is not believed to affect processors that are not affected by MDS or TAA1.
Malicious software may be able to use vector register sampling to infer vector data used by previously run software, or to infer vector data used by software running on a sibling hyperthread on the same physical core, possibly even in the presence of
The vector register sampling method has a smaller scope than MDS for several reasons:
MD_CLEARoperation. Intel has replicated this technique only under synthetic conditions when running on a sibling hyperthread on the same core as the victim’s hyperthread, not across an
Software that is mitigated against MDS methods both already performs an
MD_CLEAR operation before running untrusted software, and already helps prevent possibly malicious software from running on the sibling hyperthread of a potential victim.
Intel expects to release microcode updates for affected processors which will help ensure that
MD_CLEAR operations (for example, a
VERW instruction) will prevent older vector register data from being propagated into unused portions of the store buffer due to vector operations executing after a period where no vector operations execute. When the microcode update is released, software can discover if the microcode update contains the mitigation by checking that the patch revision number matches or is greater than the corresponding revision number in the Affected Processors table.
On processors not yet updated to mitigate vector register sampling, SMT scheduling restrictions may reduce the risk of cross-thread secret data exposure. The vector register sampling method cannot be performed on processors that are not affected by MDS or TAA1.
Processors that are affected by only TAA and not MDS2 can mitigate this issue by disabling Intel® Transactional Synchronization Extensions (Intel® TSX) through the
IA32_TSX_CTRL MSR. Disabling Intel® TSX will help prevent malicious software from inferring store buffer contents and thus also help prevent vector register sampling.
IA32_ARCH_CAPABILITIES[MDS_NO]is enumerated and Intel TSX is disabled.