oss-sec mailing list archives
CVE-2024-21823: Intel DSA and Intel IAA advisory
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 15 May 2024 10:50:09 -0700
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01084.html was published yesterday covering OS/Hypervisor mitigations they recommend to reduce exposure to a bug in certain recent Intel CPUs. It states:
Summary:A potential security vulnerability in some Intel® Data Streaming Accelerator (Intel® DSA) and Intel® Analytics Accelerator (Intel® IAA) V1.0 for some Intel® 4th or 5th generation Xeon® processors may allow denial of service. Intel is releasing prescriptive guidance and software updates to mitigate this potential vulnerability.Vulnerability Details:CVEID: CVE-2024-21823 Description: Hardware logic with insecure de-synchronization in Intel® DSA and Intel® IAA for some Intel® 4th or 5th generation Xeon® processors may allow an authorized user to potentially enable denial of service via local access. CVSS Base Score: 6.4 Medium CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:H Recommendation: Intel recommends following the steps below to address these issues: Restrict untrusted usage of Intel® DSA/IAA devices on impacted Intel® 4th Generation and 5th Generation Xeon® scalable processors, from VM guest or 3rd party application. Intel has worked with the OS vendor to provide an updated Kernel to disallow direct access to Intel® DSA and IAA v1.0 devices by untrusted software. Intel recommends using the upstream or LTS Linux kernel with the updated driver containing mitigations. Please contact your OS vendor for updates.In addition, Intel is publishing the following libraries for the updated Kernel version and recommends updating the following: - Intel® DSA Transparent Offload Library (DTO) to version 1.1 or later. Updates are available for download at this location: https://github.com/intel/DTO - OFI Libfabric Shared Memory Provider to version 1.21.1 or later. Updates are available for download at this location: https://github.com/ofiwg/libfabric/releases - Intel® MPI Library before version October 2024 later. The library will be updated for Intel OneAPI in October 2024. - Intel® Data Mover Library (DML) before version v1.2.0 or later. Updates are available for download at this location: https://github.com/intel/DML - Intel® Query Processing Library (QPL) before version v1.6.0. Updates are available for download at this location: https://github.com/intel/qpl - SPDK DSA Driver before version v24.9. Updates are available for download at this location: https://github.com/spdk/spdk
[Further details, including a table of affected hardware, is in their advisory.] https://bugzilla.redhat.com/show_bug.cgi?id=2278989 notes:
The fix went public today in Linus' tree with the following commits: 95feb3160eef ("VFIO: Add the SPR_DSA and SPR_IAX devices to the denylist") e11452eb071b ("dmaengine: idxd: add a new security check to deal with a hardware erratum") 6827738dc684 ("dmaengine: idxd: add a write() method for applications to submit work")
I don't know if any other open source kernels or hypervisors support this hardware yet - if so, they will presumably need to publish equivalent mitigations. -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- CVE-2024-21823: Intel DSA and Intel IAA advisory Alan Coopersmith (May 15)