Microsoft has released out of band updates for information disclosure vulnerabilities in Intel CPUs. The normal gut reaction would be to install out of band updates as soon as possible. Microsoft wouldn’t be releasing the updates ahead of the regular cycle without good reason, would it?
Well, maybe there are good reasons, but the number of users that would have to worry about these vulnerabilities is relatively small. And there are known performance issues related to applying the updates or disabling the Intel Hyper-Threading Technology. So please read on before you rush to update your system(s).
Microsoft issued a security advisory about these vulnerabilities on June 14, 2022. Intel’s advisory about the same four vulnerabilities came out the same day, which triggers the question, why did it take so long to release the updates? We can only speculate that a lot of time was spent on figuring out how to address these vulnerabilities most effectively.
The vulnerabilities are a class of memory-mapped I/O (MMIO) vulnerabilities. In shared resource environments (for example in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. Under normal circumstances, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The MMIO CVEs are listed as:
- CVE-2022-21123 - Shared Buffer Data Read (SBDR)
- CVE-2022-21125 - Shared Buffer Data Sampling (SBDS)
- CVE-2022-21127 - Special Register Buffer Data Sampling Update (SRBDS Update)
- CVE-2022-21166 - Device Register Partial Write (DRPW)
The underlying cause for these vulnerabilities is that Virtual Machines (VMs) share a portion of the physical processor (CPU). MMIO uses the processor’s physical-memory address space to access I/O devices that respond like memory components. Due to the incomplete cleanup in specific special register read and write operations, or shared buffers an authenticated user could potentially gain information disclosure through local access.
There is a long list of affected processors which shows the impact of transient execution attacks and select security issues on currently supported Intel® products, including recommended mitigation where affected.
Should you update?
As with many threats, the risk you are running very much depends on your threat model. If you are not running virtual machines in shared environments, I wouldn’t worry about these updates. If you are, then the ball is for a large part in the park of the provider of the cloud services, since it’s their physical machines that may or may not have the affected CPUs.
If any action needs to be taken, I would consider it their duty to let you know what needs to be done on your end.
Mitigation for these vulnerabilities includes a combination of microcode updates and software changes, depending on the platform and usage model. Microcode updates should be issued by the original equipment manufacturer (OEM). For more information, see INTEL-SA-00615.
Microcode is the name for the internal code that implements support for the processor’s instructions set.
The Windows updates are being released as manual updates in the Microsoft Update Catalog:
- KB5019180 - Windows 10, version 20H2, 21H2, and 22H2
- KB5019177 - Windows 11, version 21H2
- KB5019178 - Windows 11, version 22H2
- KB5019182 - Windows Server 2016
- KB5019181 - Windows Server 2019
- KB5019106 - Windows Server 2022
Another option is to disable Intel Hyperthreading, although we need to note that Intel Hyperthreading improves the overall performance for applications that benefit from a higher processor core count. So disabling it may have a negative impact, depending on the usage of the system.
According to VMWare, ensuring that no virtual machine has a PCI passthrough (VMDirectPath I/O pass-through) device configured is a viable workaround that will prevent any exploitation. VMDirectPath I/O allows a guest operating system on a virtual machine to directly access physical PCI and PCIe devices connected to a host.
Sometimes Microsoft really fails in providing a clear explanation about who needs to install an update, or even about how to do it. We get that it’s complicated when there are other vendors and OEMs involved, but referring users to highly technical third-party sites isn’t very helpful.
We do hope we have at least made clear that most of you do not have to worry about these.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.