Severity
Medium
Analysis Summary
CVE-2019-11135 – TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.
The flaw affecting the Processor Diagnostic Tool is tracked as ZombieLoad Variant 2, tracked as CVE-2019-11135, is related to Intel’s Transactional Synchronization Extensions (TSX), which is designed to improve performance for multi-threaded software. ZombieLoad Variant 2, which Intel has described as a Transactional Asynchronous Abort (TAA) vulnerability, affects all CPUs that support TSX and have the TAA_NO bit set to 0. ZombieLoad Variant 2 also works against Intel Xeon Gold server processors with Cascade Lake microarchitecture and Core i9 processors with Coffee Lake microarchitecture. An attacker who has access to a system running the tool can exploit the vulnerability to escalate privileges, obtain information, or cause a denial-of-service (DoS) condition.
Impact
- Information Disclosure
- Privilege Escalation
- Denial of Service
Affected Vendors
Intel
Affected Products
- 8th Generation Intel® Core™ Processors
- 10th Generation Intel® Core™ Processor Family
- Intel® Pentium® Gold Processor Series
- Intel® Celeron® Processor 5000 Series
- Intel® Xeon® Processor E Family
- 9th Generation Intel® Core™ Processor Family
- Intel® Xeon® W Processor Family
- 2nd Generation Intel® Xeon® Scalable Processors
Remediation
- Intel recommends that users of the affected Intel® Processors listed above, update to the latest firmware version provided by the system manufacturer that addresses these issues.
- Intel recommends that users of Intel® Processor Diagnostic Tool update to version 4.1.3.35 or later.
- https://downloadcenter.intel.com/download/19792/Intel-Processor-Diagnostic-Tool