Important CVSS 7.1 2018-05 archive

Executive Summary

On January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities (known as Spectre and Meltdown) involving speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21st, a new subclass of speculative execution side channel vulnerabilities known as Speculative Store Bypass (SSB) has been announced and assigned CVE-2018-3639 . An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries. Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel. At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate. Microsoft will implement the following strategy to mitigate Speculative Store Bypass: Register for security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications . Familiarize yourself with the vulnerability details. See the References section for links to further information. Microsoft recommends that developers review the updated developer guidance for Speculative Store Bypass at: https://docs.microsoft.com/en-us/cpp/security/developer-guidance-speculative-execution . Apply updates as follows: 4.1. Apply the Windows updates that provide support for SSBD. See the Security Updates table to download and install these updates. 4.2. Hardware-specific action may be required in devices using certain processors: a. Intel processors: For a list of affected Intel processors see Intel's advisory here . Apply hardware/microcode updates from your device OEM for affected Intel-based systems. Note that SSBD in Intel processors is dependent upon having the corresponding microcode installed. Contact your OEM for firmware/BIOS versions that contain SSBD compatibility. b. AMD processors: For a list of affected AMD processor families see AMD’s advisory here . Updated microcode is not required. c. ARM processors: For a list of affected ARM processors, see ARM’s advisory here . An OEM provided update will be delivered via Windows Update to mitigate Speculative Store Bypass automatically (enabled by default without option to disable). Contact your OEM for availability. 4.3. Evaluate the performance implication of turning on SSBD in your environment. 4.4. Evaluate the Speculative Store Bypass risk to your environment, including CVSS value and exposure to vulnerable code patterns in third-party software, and decide if SSBD should be turned on. 4.5. To turn on SSBD, use the registry settings documented here: 4.6. To verify the status of SSBD, the Get-SpeculationControlSettings PowerShell script has been updated to detect affected processors, status of the SSBD operating system updates, and state of the processor microcode if applicable. For more information and to obtain the PowerShell script visit: Understanding Get-SpeculationControlSettings PowerShell script output . 1. Microsoft is releasing security updates for this advisory. Does this mean that you have found vulnerable code? No. At the time of publication, we have not discovered vulnerable code patterns in our software or cloud service infrastructure. The updates released on June 12, 2018 provide Windows support for Speculative Store Bypass Disable (SSBD) for Intel processors. See the update in the Executive Summary for more information. 2. What does "a vulnerable code pattern" mean? A vulnerable code pattern is software code that creates the conditions that allow exploitation of Speculative Store Bypass. For greater details, please see the Speculative Store Bypass overview at: https://aka.ms/sescsrdssb . 3. When will the Windows update(s) that provide support for SSBD be available? Devices using Intel processors: Support for SSBD was released in all supported versions of Windows by July 2018. Devices using AMD processors: Microsoft has released support for SSBD in supported versions of Windows 10, Windows Server 2016, and Windows Server 2019 on November 13, 2018. See the Security Updates table for update information. We continue to work with AMD to enable support of SSBD in additional supported versions of Windows. Microsoft has released support for SSBD in supported versions of Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2 on January 8, 2019. See the Security Updates table for update information. We continue to work with AMD to enable support of SSBD in additional supported versions of Windows. Devices using ARM processors: Updates will be made available by OEMs via Windows Update. Contact your OEM for availability. See the Recommended actions section for information about the updates and the steps to apply to turn on SSBD. 4. Is there a performance implication when I install the updates that provide support for SSBD on AMD and Intel processors? No. Installing the updates themselves will not affect the performance of your CPU. 5. Is there a performance implication when I turn on SSBD on supported AMD and Intel processors? In testing Microsoft has seen some performance impact when SSBD is turned on. However, the actual performance impact will depend on multiple factors, such as the specific chipset in your physical host and the workloads that are running. 6. Where can I find information about CVE-2018-3640 that was also announced on May 21, 2018? See ADV180013 | Microsoft Guidance for Rogue System Register Read . 7. Is the Microsoft Cloud infrastructure affected? At the time of publication, we have not discovered vulnerable code patterns in our software or cloud service infrastructure. In addition, defense-in-depth mitigations have been deployed across the Microsoft cloud infrastructure which directly address speculative execution vulnerabilities. 8. How does Speculative Store Bypass compare to the Spectre and Meltdown vulnerabilities? Speculative Store Bypass is a subclass of speculative execution side-channel vulnerabilities like Spectre and Meltdown. 9. Where can I find Microsoft guidance for the Spectre and Meltdown vulnerabilities? See ADV180002 | Guidance to mitigate speculative execution side-channel vulnerabilities .

Overview

7.1
CVSS HIGH
Important
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
Category Information Disclosure
Released May 8 2018
Last Updated May 8 2018
Publicly Disclosed No
CISA KEV Not Listed
Known Exploits None Known

CVSS Vector

ATTACK VECTOR
Local
ATTACK COMPLEXITY
Low
PRIVILEGES REQUIRED
None
USER INTERACTION
None
SCOPE
Changed
CONFIDENTIALITY
High
INTEGRITY
None
AVAILABILITY
None
Temporal Score: 7.1

EPSS Score

No EPSS score available for this CVE.

View on FIRST.org

Affected Products

24 affected products
Product KB Article Severity Impact Restart Required
Microsoft Surface Book 4073065 (Update history) Important Information Disclosure Yes
Microsoft Surface Book 2 4073065 (Update history) Important Information Disclosure Yes
Microsoft Surface Laptop 4073065 (Update history) Important Information Disclosure Yes
Microsoft Surface Pro 3 4073065 (Update history) Important Information Disclosure Yes
Microsoft Surface Pro 4 4073065 (Update history) Important Information Disclosure Yes
Microsoft Surface Studio 4073065 (Update history) Important Information Disclosure Yes
Surface Pro Model 1796 4073065 (Update history) Important Information Disclosure Yes
Surface Pro with Advanced LTE Model 1807 4073065 (Update history) Important Information Disclosure Yes
Windows 10 for 32-bit Systems 4467680 (Security Update) Important Information Disclosure Yes
Windows 10 for x64-based Systems 4467680 (Security Update) Important Information Disclosure Yes
Windows 10 Version 1607 for 32-bit Systems 4467691 (Security Update) Important Information Disclosure Yes
Windows 10 Version 1607 for x64-based Systems 4467691 (Security Update) Important Information Disclosure Yes
Windows 10 Version 1703 for 32-bit Systems 4467696 (Security Update) Important Information Disclosure Yes
Windows 10 Version 1703 for x64-based Systems 4467696 (Security Update) Important Information Disclosure Yes
Windows 10 Version 1709 for 32-bit Systems 4467686 (Security Update) Important Information Disclosure Yes
Windows 10 Version 1709 for x64-based Systems 4467686 (Security Update) Important Information Disclosure Yes
Windows 10 Version 1803 for 32-bit Systems 4467702 (Security Update) Important Information Disclosure Yes
Windows 10 Version 1803 for x64-based Systems 4467702 (Security Update) Important Information Disclosure Yes
Windows 10 Version 1809 for 32-bit Systems 4467708 (Security Update) Important Information Disclosure Yes
Windows 10 Version 1809 for x64-based Systems 4467708 (Security Update) Important Information Disclosure Yes
Windows 7 for 32-bit Systems Service Pack 1 4480970 (Monthly Rollup) 4480960 (Security Only) Important Information Disclosure 4471318 Base: 7.1 Temporal: 7.1 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Yes None Windows 7 for x64-based Systems Service Pack 1 4480970 (Monthly Rollup) 4480960 (Security Only) Important Information Disclosure 4471318 Base: 7.1 Temporal: 7.1 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Yes None Windows 8.1 for 32-bit systems 4480963 (Monthly Rollup) 4480964 (Security Only) Important Information Disclosure 4471320 Base: N/A Temporal: N/A Vector: N/A Yes None Windows 8.1 for x64-based systems 4480963 (Monthly Rollup) 4480964 (Security Only) Important Information Disclosure 4471320 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2008 for 32-bit Systems Service Pack 2 4480968 (Monthly Rollup) 4480957 (Security Only) Important Information Disclosure 4471325 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) 4480968 (Monthly Rollup) 4480957 (Security Only) Important Information Disclosure 4471325 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2008 for x64-based Systems Service Pack 2 4480968 (Monthly Rollup) 4480957 (Security Only) Important Information Disclosure 4471325 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) 4480968 (Monthly Rollup) 4480957 (Security Only) Important Information Disclosure 4471325 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2008 R2 for x64-based Systems Service Pack 1 4480970 (Monthly Rollup) 4480960 (Security Only) Important Information Disclosure 4471318 Base: 7.1 Temporal: 7.1 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Yes None Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) 4480970 (Monthly Rollup) 4480960 (Security Only) Important Information Disclosure 4471318 Base: 7.1 Temporal: 7.1 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Yes None Windows Server 2012 4480975 (Monthly Rollup) 4480972 (Security Only) Important Information Disclosure 4471330 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2012 (Server Core installation) 4480975 (Monthly Rollup) 4480972 (Security Only) Important Information Disclosure 4471330 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2012 R2 4480963 (Monthly Rollup) 4480964 (Security Only) Important Information Disclosure 4471320 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2012 R2 (Server Core installation) 4480963 (Monthly Rollup) 4480964 (Security Only) Important Information Disclosure 4471320 Base: N/A Temporal: N/A Vector: N/A Yes None Windows Server 2016 4467691 (Security Update) Important Information Disclosure Yes
Windows Server 2016 (Server Core installation) 4467691 (Security Update) Important Information Disclosure Yes
Windows Server, version 1709 (Server Core Installation) 4467686 (Security Update) Important Information Disclosure Yes
Windows Server, version 1803 (Server Core Installation) 4467702 (Security Update) Important Information Disclosure Yes

Patches

7 patches
Article Type Restart
4073065 Update history Yes
4467680 Security Update Yes
4467691 Security Update Yes
4467696 Security Update Yes
4467686 Security Update Yes
4467702 Security Update Yes
4467708 Security Update Yes

Known Exploits

Acknowledgments

Jann Horn of Google Project Zero
Ken Johnson of Microsoft Corporation