Microsoft has released multiple patches addressing a number of vulnerabilities recently discovered in some popular Intel CPUs.
The out-of-band updates addressed a total of four vulnerabilities, cumulatively described as “Memory Mapped I/O STale Data (MMIO) information disclosure flaws.
In other words, a threat actor could use a flaw in a virtual machine to access (sensitive) data in a different virtual machine.
Accessing sensitive data
The vulnerabilities are being tracked as CVE-2022-21123 (Shared Buffer Data Read), CVE-2022-21125 (Shared Buffer Data Sampling), CVE-2022-21127 (Special Register Buffer Data Sampling Update), and CVE-2022-21166 (Device Register Partial Write).
“An attacker who successfully exploited these vulnerabilities might be able to read privileged data across trust boundaries,” Microsoft said in a follow-up advisory.
“In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.”
Microsoft also said that besides mitigations for Windows Server 2019 and Windows Server 2022, no patches were ever released. Now, the Redmond giant took matters into its own hands. However, according to BleepingComputer, the set of updates for Windows 10, Windows 11, and Windows Server, seem to be “somewhat confusing”: “From the support bulletins, it is unclear if they are new Intel microcodes or other mitigations that will be applied to devices,” the publication explained.
To apply the patches, users need to download them to their endpoints (opens in new tab) manually from the Microsoft Update Catalog. These are the labels:
- KB5019180 – Windows 10, version 20H2, 21H2, and 22H2
- KB5019177 – Windows 11, version 21H2
- KB5019178 – Windows 11, version 22H2
- KB5019182 – Windows Server 2016
- KB5019181 – Windows Server 2019
- KB5019106 – Windows Server 2022
Updates should be applied with caution, the publication added, as they can cause performance issues and might even be ineffective without disabling Intel Hyper-Threading Technology.
Via: BleepingComputer (opens in new tab)