Microsoft Guidance on Intel Processor MMIO Stale Data Vulnerabilities

Security Advisory

Released: 14 giu 2022

Assigning CNA
Microsoft
Impact
Information Disclosure
Max Severity
Important

Executive Summary

On June 14, 2022, Intel published information about a class of memory-mapped I/O vulnerabilities known as Processor MMIO Stale Data Vulnerabilities.

An attacker who successfully exploited these vulnerabilities might be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.

These vulnerabilities are known as:

  • CVE-2022-21123 - Shared Buffer Data Read (SBDR)
  • CVE-2022-21125 - Shared Buffer Data Sampling (SBDS)
  • CVE-2022-21127 - Special Register Buffer Data Sampling Update (SRBDS Update)
  • CVE-2022-21166 - Device Register Partial Write (DRPW)

Important: These vulnerabilities might affect other operating systems and service providers. We advise customers to seek guidance from their respective vendors.

Microsoft has released software updates to help mitigate these vulnerabilities. To get all available protections, firmware (microcode) and software updates are required. Please check with your OEM for microcode updates. In some cases, installing these updates will have a performance impact. We have also acted to secure our cloud services.

Microsoft has no information to indicate that these vulnerabilities have been used to attack customers at this time. Microsoft continues working closely with industry partners including chip makers, hardware OEMs, and app vendors to protect customers.

Recommended Actions

To protect your system from these vulnerabilities, Microsoft recommends that you take the following actions, and refer to the subsequent sections for links to further information for your specific situation:

  1. The best protection is to keep computers up to date. This includes installing OS and microcode updates.
  • To be fully protected, customers might also need to disable Hyper-Threading (also known as Simultaneous Multi Threading (SMT)). Please see Knowledge Base Article 4073757 for guidance on protecting Windows devices.
  • OEMs might also provide additional guidance. Customers using Surface products should see Microsoft Knowledge Base Article 4073065.
  1. Microsoft recommends that enterprise customers review this advisory in detail and register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
  2. Verify the status of protections for the various CVEs by running the PowerShell script Get-SpeculationControlSettings. For more information and to obtain the PowerShell script see Understanding Get-SpeculationControlSettings PowerShell script output.

Microsoft Windows client customers

Customers using Windows client operating systems need to apply both firmware (microcode) and software updates. See Microsoft Knowledge Base Article 4073119  for additional information. Microsoft is making available Intel-validated microcode updates for Windows 10 and 11 operating systems. Please see Microsoft Knowledge Base Article 4093836  for the current Intel microcode updates.

In addition, customers should check to see if their OEM is providing additional guidance on updates and mitigations. Surface Support Article 4073065 provides more information to Surface customers.

Microsoft Windows Server/Azure Stack HCI customers

Customers using Windows server operating systems listed in the Affected Products table need to apply firmware (microcode) and software updates as well as to configure protections. See Microsoft Knowledge Base Article 4072698 for additional information, including workarounds.

Microsoft Azure has taken steps to address the security vulnerabilities at the hypervisor level to protect Windows Server VMs running in Azure. More information can be found here.

Microsoft cloud customers

Microsoft has already deployed mitigations across our cloud services. More information is available here.

Microsoft SQL Server customers

In scenarios running Microsoft SQL Server, customers should follow the guidance outlined in Microsoft Knowledge Base Article 4073225.

Potential performance impacts

Specific performance impact varies by hardware generation and implementation by the chip manufacturer. For most consumer devices, impact on performance may not be noticeable. Some customers might have to disable Hyper-Threading (SMT) to fully address the risk from Processor MMIO Stale Data vulnerabilities. In testing Microsoft has seen some performance impact with these mitigations, in particular when hyperthreading is disabled. Microsoft values the security of its software and services and has made the decision to implement certain mitigation strategies in an effort to better secure our products. In some cases, mitigations are not enabled by default to allow users and administrators to evaluate the performance impact and risk exposure before deciding to enable the mitigations. We continue to work with hardware vendors to improve performance while maintaining a high level of security.

References

See the following for further information from Intel:

Exploitability

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

Publicly disclosed
No
Exploited
No
Exploitability assessment
Exploitation Less Likely

Acknowledgements

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information.

Security Updates

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.

Release date Descending

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

How satisfied are you with the MSRC Security Update Guide?