BDU:2022-06850

Опубликовано: 11 авг. 2022

Источник: fstec

CVSS3: 5.6

CVSS2: 3.8

EPSS Низкий

Описание

Уязвимость реализации механизма Indirect Branch Prediction Barrier (IBPB) микропрограммного обеспечения процессоров AMD связана с некорректной очисткой стека RAS (Return Address Stack). Эксплуатация уязвимости может позволить нарушителю получить несанкционированный доступ к защищаемой информации, используя побочный канал

Вендор

Microsoft Corp

Red Hat Inc.

Novell Inc.

Advanced Micro Devices Inc.

The Linux Foundation

АО "НППКТ"

Наименование ПО

Windows 7 Service Pack 1

Windows Server 2008 Service Pack 2

Windows 8.1

Windows Server 2012

Windows Server 2012 R2

Windows Server 2008 R2 Service Pack 1

Windows 10

Windows 10 1607

Red Hat Enterprise Linux

Windows Server 2016

Windows RT 8.1

Windows Server 2008 Service Pack 2 (Server Core Installation)

Windows Server 2012 R2 (Server Core installation)

Windows Server 2016 (Server Core installation)

Windows Server 2008 R2 Service Pack 1 (Server Core installation)

Windows 10 1809

Windows Server 2019

Windows Server 2019 (Server Core installation)

SUSE Linux Enterprise Server for SAP Applications

Suse Linux Enterprise Server

SUSE Enterprise Storage

SUSE OpenStack Cloud

SUSE OpenStack Cloud Crowbar

SUSE Linux Enterprise High Performance Computing

SUSE CaaS Platform

Windows 10 20H2

SUSE Linux Enterprise Module for Basesystem

Windows 10 21H1

SUSE Linux Enterprise Module for Server Applications

Windows Server 2022

Windows Server 2022 (Server Core installation)

Windows 11

Windows 10 21H2

SUSE Manager Proxy

SUSE Manager Server

Suse Linux Enterprise Desktop

SUSE Linux Enterprise Micro

SUSE Manager Retail Branch Server

1st Gen AMD EPYC

2nd Gen AMD EPYC

3rd Gen AMD EPYC

AMD Ryzen 2000 series Desktop

AMD Ryzen 3000 Series Desktop

AMD Ryzen 4000 Series Desktop processors with Radeon graphics

2nd Gen AMD Ryzen Threadripper

3rd Gen AMD Ryzen Threadripper

AMD Ryzen Threadripper PRO processors

AMD Athlon 3000 Series Mobile processors with Radeon graphics

AMD Ryzen 2000 Series Mobile processor

2nd Gen AMD Ryzen Mobile processor with Radeon graphics

AMD Ryzen 3000 Series Mobile processor with Radeon graphics

AMD Ryzen 4000 Series Mobile processors with Radeon graphics

AMD Ryzen 5000 Series Mobile processor with Radeon graphics

AMD Athlon Mobile processor with Radeon graphics

AMD Athlon X4 processor

SUSE Linux Enterprise Server Business Critical Linux

Windows 11 22H2

Windows 10 22H2

Xen

ОСОН ОСнова Оnyx

Windows Server 2012 (Server Core installation)

Версия ПО

- (Windows 7 Service Pack 1)

- (Windows Server 2008 Service Pack 2)

- (Windows 7 Service Pack 1)

- (Windows 8.1)

- (Windows Server 2008 Service Pack 2)

- (Windows Server 2012)

- (Windows Server 2012 R2)

- (Windows Server 2008 R2 Service Pack 1)

- (Windows 10)

- (Windows 10 1607)

7 (Red Hat Enterprise Linux)

- (Windows Server 2016)

- (Windows RT 8.1)

- (Windows Server 2008 Service Pack 2 (Server Core Installation))

- (Windows Server 2012 R2 (Server Core installation))

- (Windows Server 2016 (Server Core installation))

- (Windows Server 2008 R2 Service Pack 1 (Server Core installation))

- (Windows 10 1809)

- (Windows Server 2019)

- (Windows Server 2019 (Server Core installation))

- (Windows 10 1809)

12 SP4 (SUSE Linux Enterprise Server for SAP Applications)

8 (Red Hat Enterprise Linux)

12 SP2-BCL (Suse Linux Enterprise Server)

15 (SUSE Linux Enterprise Server for SAP Applications)

15 SP1 (SUSE Linux Enterprise Server for SAP Applications)

12 SP3-BCL (Suse Linux Enterprise Server)

12 SP5 (Suse Linux Enterprise Server)

12 SP5 (SUSE Linux Enterprise Server for SAP Applications)

6 (SUSE Enterprise Storage)

9 (SUSE OpenStack Cloud)

9 (SUSE OpenStack Cloud Crowbar)

12 SP5 (SUSE Linux Enterprise High Performance Computing)

15-LTSS (SUSE Linux Enterprise High Performance Computing)

15-LTSS (Suse Linux Enterprise Server)

12 SP4-ESPOS (Suse Linux Enterprise Server)

4.0 (SUSE CaaS Platform)

- (Windows 10 20H2)

12 SP4-LTSS (Suse Linux Enterprise Server)

15-ESPOS (Suse Linux Enterprise Server)

15 SP1-LTSS (Suse Linux Enterprise Server)

15 SP1-LTSS (SUSE Linux Enterprise High Performance Computing)

15 SP1-ESPOS (SUSE Linux Enterprise High Performance Computing)

15 SP3 (SUSE Linux Enterprise Module for Basesystem)

- (Windows 10 21H1)

15 SP3 (SUSE Linux Enterprise Module for Server Applications)

- (Windows Server 2022)

- (Windows Server 2022 (Server Core installation))

- (Windows 11)

- (Windows 10 21H2)

15 SP3 (SUSE Linux Enterprise High Performance Computing)

15 SP3 (Suse Linux Enterprise Server)

15 SP3 (SUSE Linux Enterprise Server for SAP Applications)

4.2 (SUSE Manager Proxy)

4.2 (SUSE Manager Server)

15 SP3 (Suse Linux Enterprise Desktop)

7 (SUSE Enterprise Storage)

15 SP2 (SUSE Linux Enterprise Server for SAP Applications)

4.1 (SUSE Manager Server)

4.1 (SUSE Manager Proxy)

15 SP2-ESPOS (SUSE Linux Enterprise High Performance Computing)

15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing)

5.1 (SUSE Linux Enterprise Micro)

4.1 (SUSE Manager Retail Branch Server)

15 SP4 (Suse Linux Enterprise Server)

15 SP4 (Suse Linux Enterprise Desktop)

15 SP4 (SUSE Linux Enterprise Server for SAP Applications)

- (1st Gen AMD EPYC)

- (2nd Gen AMD EPYC)

- (3rd Gen AMD EPYC)

4.2 (SUSE Manager Retail Branch Server)

5.2 (SUSE Linux Enterprise Micro)

9 (Red Hat Enterprise Linux)

15 SP2-LTSS (Suse Linux Enterprise Server)

4.3 (SUSE Manager Retail Branch Server)

4.3 (SUSE Manager Proxy)

4.3 (SUSE Manager Server)

15 SP4 (SUSE Linux Enterprise High Performance Computing)

- (AMD Ryzen 2000 series Desktop)

- (AMD Ryzen 3000 Series Desktop)

- (AMD Ryzen 4000 Series Desktop processors with Radeon graphics)

- (2nd Gen AMD Ryzen Threadripper)

- (3rd Gen AMD Ryzen Threadripper)

- (AMD Ryzen Threadripper PRO processors)

- (AMD Athlon 3000 Series Mobile processors with Radeon graphics)

- (AMD Ryzen 2000 Series Mobile processor)

- (2nd Gen AMD Ryzen Mobile processor with Radeon graphics)

- (AMD Ryzen 3000 Series Mobile processor with Radeon graphics)

- (AMD Ryzen 4000 Series Mobile processors with Radeon graphics)

- (AMD Ryzen 5000 Series Mobile processor with Radeon graphics)

- (AMD Athlon Mobile processor with Radeon graphics)

- (AMD Athlon X4 processor)

15 SP4 (SUSE Linux Enterprise Module for Server Applications)

7.1 (SUSE Enterprise Storage)

15 SP4 (SUSE Linux Enterprise Module for Basesystem)

15 SP1 (SUSE Linux Enterprise Server Business Critical Linux)

15 SP2 (SUSE Linux Enterprise Server Business Critical Linux)

- (Windows 11 22H2)

- (Windows 10 22H2)

до 4.13.1 (Xen)

от 4.16 до 4.16.1 (Xen)

от 4.15 до 4.15.1 (Xen)

от 4.14 до 4.14.1 (Xen)

5.3 (SUSE Linux Enterprise Micro)

до 2.8 (ОСОН ОСнова Оnyx)

- (Windows Server 2012 (Server Core installation))

Тип ПО

Операционная система

Прикладное ПО информационных систем

Сетевое средство

Микропрограммный код аппаратных компонент компьютера

Микропрограммный код

ПО виртуализации/ПО виртуального программно-аппаратного средства

Операционные системы и аппаратные платформы

Microsoft Corp Windows 7 Service Pack 1 -

Microsoft Corp Windows Server 2008 Service Pack 2 -

Microsoft Corp Windows 7 Service Pack 1 -

Microsoft Corp Windows 8.1 -

Microsoft Corp Windows Server 2008 Service Pack 2 -

Microsoft Corp Windows Server 2012 -

Microsoft Corp Windows Server 2012 R2 -

Microsoft Corp Windows Server 2008 R2 Service Pack 1 -

Microsoft Corp Windows 10 -

Microsoft Corp Windows 10 1607 -

Red Hat Inc. Red Hat Enterprise Linux 7

Microsoft Corp Windows Server 2016 -

Microsoft Corp Windows RT 8.1 -

Microsoft Corp Windows Server 2008 Service Pack 2 (Server Core Installation) -

Microsoft Corp Windows Server 2012 R2 (Server Core installation) -

Microsoft Corp Windows Server 2016 (Server Core installation) -

Microsoft Corp Windows Server 2008 R2 Service Pack 1 (Server Core installation) -

Microsoft Corp Windows 10 1809 -

Microsoft Corp Windows Server 2019 -

Microsoft Corp Windows Server 2019 (Server Core installation) -

Microsoft Corp Windows 10 1809 -

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4

Red Hat Inc. Red Hat Enterprise Linux 8

Novell Inc. Suse Linux Enterprise Server 12 SP2-BCL

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP1

Novell Inc. Suse Linux Enterprise Server 12 SP3-BCL

Novell Inc. Suse Linux Enterprise Server 12 SP5

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5

Novell Inc. Suse Linux Enterprise Server 15-LTSS

Novell Inc. Suse Linux Enterprise Server 12 SP4-ESPOS

Microsoft Corp Windows 10 20H2 -

Novell Inc. Suse Linux Enterprise Server 12 SP4-LTSS

Novell Inc. Suse Linux Enterprise Server 15-ESPOS

Novell Inc. Suse Linux Enterprise Server 15 SP1-LTSS

Microsoft Corp Windows 10 21H1 -

Microsoft Corp Windows Server 2022 -

Microsoft Corp Windows Server 2022 (Server Core installation) -

Microsoft Corp Windows 11 -

Microsoft Corp Windows 10 21H2 -

Novell Inc. Suse Linux Enterprise Server 15 SP3

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3

Novell Inc. Suse Linux Enterprise Desktop 15 SP3

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2

Novell Inc. Suse Linux Enterprise Server 15 SP4

Novell Inc. Suse Linux Enterprise Desktop 15 SP4

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4

Red Hat Inc. Red Hat Enterprise Linux 9

Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS

Novell Inc. SUSE Linux Enterprise Server Business Critical Linux 15 SP1

Novell Inc. SUSE Linux Enterprise Server Business Critical Linux 15 SP2

Microsoft Corp Windows 11 22H2 -

Microsoft Corp Windows 10 22H2 -

АО "НППКТ" ОСОН ОСнова Оnyx до 2.8

Microsoft Corp Windows Server 2012 (Server Core installation) -

Уровень опасности уязвимости

Низкий уровень опасности (базовая оценка CVSS 2.0 составляет 3,8)

Средний уровень опасности (базовая оценка CVSS 3.0 составляет 5,6)

Возможные меры по устранению уязвимости

Использование рекомендаций:

Для программных продуктов AMD:

https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1040

Для программных продуктов Microsoft Corp.:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23824

Для продуктов Red Hat Inc.:

https://access.redhat.com/security/cve/cve-2022-23824

Для Xen:

https://xenbits.xen.org/xsa/advisory-422.html

Для программных продуктов Novell Inc.:

https://www.suse.com/de-de/security/cve/CVE-2022-23824.html

Организационные меры:

Производитель процессоров AMD рекомендует следовать пункту MITIGATION V2-3, описанного в рекомендациях: https://www.amd.com/system/files/documents/software-techniques-for-managing-speculation.pdf

Для ОСОН ОСнова Оnyx:

Обновление программного обеспечения xen до версии 4.17.1+2-gb773c48e36-1

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 6%

0.00026

Низкий

5.6 Medium

CVSS3

3.8 Low

CVSS2

Связанные уязвимости

CVE-2022-23824

CVSS3: 5.5

ubuntu

почти 3 года назад

IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure.

CVE-2022-23824

CVSS3: 5.6

redhat

больше 3 лет назад

IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure.

CVE-2022-23824

CVSS3: 5.5

nvd

почти 3 года назад

IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure.

CVE-2022-23824

msrc

почти 3 года назад

AMD: CVE-2022-23824 IBPB and Return Address Predictor Interactions

CVE-2022-23824

CVSS3: 5.5

debian

почти 3 года назад

IBPB may not prevent return branch predictions from being specified by ...

EPSS

Процентиль: 6%

0.00026

Низкий

5.6 Medium

CVSS3

3.8 Low

CVSS2