CVE-2020-8694
Published: 10 November 2020
Insufficient access control in the Linux kernel driver for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.
From the Ubuntu Security Team
Moritz Lipp, Michael Schwarz, Andreas Kogler, David Oswald, Catherine Easdon, Claudio Canella, and Daniel Gruss discovered that the Intel Running Average Power Limit (RAPL) driver in the Linux kernel did not properly restrict access to power data. A local attacker could possibly use this to expose sensitive information.
Notes
Author | Note |
---|---|
sbeattie | fix will be to adjust the access control bits on the RAPL sysfs files. |
Mitigation
Restrict permissions on the affected sysfs entries: $ sudo find /sys/devices/virtual/powercap/ -name energy_uj -exec chmod 400 {} \;
Priority
Status
Package | Release | Status |
---|---|---|
linux Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-123.126)
|
eoan |
Ignored
(end of life)
|
|
focal |
Released
(5.4.0-53.59)
|
|
groovy |
Released
(5.8.0-28.30)
|
|
trusty |
Released
(3.13.0-183.234)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Released
(4.4.0-194.226)
|
|
Patches: Introduced by 2d281d8196e38dd3a4ee9af26621ddde8329f269 |
||
linux-aws Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(# CONFIG_POWERCAP is not set)
|
eoan |
Ignored
(end of life)
|
|
focal |
Not vulnerable
(# CONFIG_POWERCAP is not set)
|
|
groovy |
Released
(5.8.0-1013.14)
|
|
trusty |
Ignored
(was needs-triage ESM criteria)
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Not vulnerable
(# CONFIG_POWERCAP is not set)
|
|
linux-aws-5.0 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-aws-5.3 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-aws-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(# CONFIG_POWERCAP is not set)
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-aws-hwe Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Not vulnerable
(# CONFIG_POWERCAP is not set)
|
|
linux-azure Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
eoan |
Ignored
(end of life)
|
|
focal |
Not vulnerable
(# CONFIG_POWERCAP is not set)
|
|
groovy |
Released
(5.8.0-1012.13)
|
|
trusty |
Ignored
(was needs-triage ESM criteria)
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Not vulnerable
(# CONFIG_POWERCAP is not set)
|
|
linux-azure-4.15 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(# CONFIG_POWERCAP is not set)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-azure-5.3 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-azure-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(# CONFIG_POWERCAP is not set)
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-azure-edge Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-gcp Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
eoan |
Ignored
(end of life)
|
|
focal |
Released
(5.4.0-1029.31)
|
|
groovy |
Released
(5.8.0-1011.11)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Released
(4.15.0-1087.100~16.04.1)
|
|
linux-gcp-4.15 Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1087.100)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-gcp-5.3 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-gcp-5.4 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.4.0-1029.31~18.04.1)
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-gcp-edge Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-gke-4.15 Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1073.78)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-gke-5.0 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.0.0-1050.52)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-gke-5.3 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-1039.42)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-gke-5.4 Launchpad, Ubuntu, Debian |
bionic |
Pending
(5.4.0-1029.31~18.04.1)
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-gkeop-5.4 Launchpad, Ubuntu, Debian |
bionic |
Pending
(5.4.0-1004.5)
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-hwe Launchpad, Ubuntu, Debian |
bionic |
Released
(5.3.0-69.65)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Released
(4.15.0-123.126~16.04.1)
|
|
linux-hwe-5.4 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.4.0-53.59~18.04.1)
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-hwe-5.8 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Pending
(5.8.0-28.30~20.04.1)
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-hwe-edge Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Ignored
(end of life, was needs-triage)
|
|
linux-kvm Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(# CONFIG_POWERCAP is not set)
|
eoan |
Ignored
(end of life)
|
|
focal |
Not vulnerable
(# CONFIG_POWERCAP is not set)
|
|
groovy |
Released
(5.8.0-1009.10)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Not vulnerable
(# CONFIG_POWERCAP is not set)
|
|
linux-lts-trusty Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-lts-xenial Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Released
(4.4.0-194.226~14.04.1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-oem Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1101.112)
|
eoan |
Ignored
(end of life)
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Ignored
(end of standard support, was needs-triage)
|
|
linux-oem-5.6 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Does not exist
|
|
focal |
Released
(5.6.0-1033.35)
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-oem-osp1 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.0.0-1071.77)
|
eoan |
Ignored
(end of life)
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-oracle Launchpad, Ubuntu, Debian |
bionic |
Released
(4.15.0-1058.64)
|
eoan |
Ignored
(end of life)
|
|
focal |
Released
(5.4.0-1029.31)
|
|
groovy |
Released
(5.8.0-1010.10)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Released
(4.15.0-1058.64~16.04.1)
|
|
linux-oracle-5.0 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-oracle-5.3 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of life, was needs-triage)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-oracle-5.4 Launchpad, Ubuntu, Debian |
bionic |
Released
(5.4.0-1029.31~18.04.1)
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-raspi Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Does not exist
|
|
focal |
Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
|
|
groovy |
Released
(5.8.0-1007.10)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-raspi-5.4 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-raspi2 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
|
eoan |
Ignored
(end of life)
|
|
focal |
Ignored
(end of life, was needs-triage)
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
|
|
linux-raspi2-5.3 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-riscv Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
eoan |
Does not exist
|
|
focal |
Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
|
|
groovy |
Released
(5.8.0-8.9)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Does not exist
|
|
linux-snapdragon Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(5.10~rc4)
|
|
xenial |
Not vulnerable
(# CONFIG_INTEL_RAPL is not set)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.6 |
Attack vector | Local |
Attack complexity | High |
Privileges required | Low |
User interaction | None |
Scope | Changed |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |
References
- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
- https://platypusattack.com/
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Platypus
- https://ubuntu.com/security/notices/USN-4626-1
- https://ubuntu.com/security/notices/USN-4627-1
- https://www.cve.org/CVERecord?id=CVE-2020-8694
- NVD
- Launchpad
- Debian