CVE-2020-12912 - OpenCVE

A potential vulnerability in the AMD extension to Linux "hwmon" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Amd	Energy Driver For Linux

Configuration 1 [-]

cpe:2.3:a:amd:energy_driver_for_linux:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2020-12912
https://support.lenovo.com/lu/uk/product_security/LEN-50481
https://www.amd.com/en/corporate/product-security
https://www.cve.org/CVERecord?id=CVE-2020-12912
https://www.cybersecurity-help.cz/vdb/SB2020111118

History

No history.

MITRE

Status: PUBLISHED

Assigner: AMD

Published: 2020-11-12T19:08:57

Updated: 2024-08-04T12:11:18.792Z

Reserved: 2020-05-15T00:00:00

Link: CVE-2020-12912

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-12T20:15:15.127

Modified: 2020-12-03T02:12:21.303

Link: CVE-2020-12912

Redhat

Severity : Moderate

Publid Date: 2020-11-12T17:00:00Z

Links: CVE-2020-12912 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "AMD extension to Linux \"hwmon\" for Zen1 platforms", "vendor": "n/a", "versions": [{"status": "affected", "version": "Each Linux distro determines its own version."}]}], "descriptions": [{"lang": "en", "value": "A potential vulnerability in the AMD extension to Linux \"hwmon\" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-749", "description": "CWE-749: Exposed Dangerous Method or Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-11-12T19:08:57", "orgId": "b58fc414-a1e4-4f92-9d70-1add41838648", "shortName": "AMD"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.amd.com/en/corporate/product-security"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@amd.com", "ID": "CVE-2020-12912", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "AMD extension to Linux \"hwmon\" for Zen1 platforms", "version": {"version_data": [{"version_value": "Each Linux distro determines its own version."}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A potential vulnerability in the AMD extension to Linux \"hwmon\" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-749: Exposed Dangerous Method or Function"}]}]}, "references": {"reference_data": [{"name": "https://www.amd.com/en/corporate/product-security", "refsource": "MISC", "url": "https://www.amd.com/en/corporate/product-security"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:11:18.792Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.amd.com/en/corporate/product-security"}]}]}, "cveMetadata": {"assignerOrgId": "b58fc414-a1e4-4f92-9d70-1add41838648", "assignerShortName": "AMD", "cveId": "CVE-2020-12912", "datePublished": "2020-11-12T19:08:57", "dateReserved": "2020-05-15T00:00:00", "dateUpdated": "2024-08-04T12:11:18.792Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amd:energy_driver_for_linux:*:*:*:*:*:*:*:*", "matchCriteriaId": "06484815-E80E-42E3-9350-BB04B56AC658", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A potential vulnerability in the AMD extension to Linux \"hwmon\" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access."}, {"lang": "es", "value": "Una vulnerabilidad potencial en la extensi\u00f3n de AMD para el servicio \"hwmon\" de Linux puede permitir a un atacante utilizar la interfaz RAPL (Running Average Power Limit) basada en Linux para mostrar varios ataques de canal lateral. De acuerdo con los socios de la industria, AMD ha actualizado la interfaz RAPL para requerir acceso privilegiado"}], "id": "CVE-2020-12912", "lastModified": "2020-12-03T02:12:21.303", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-12T20:15:15.127", "references": [{"source": "psirt@amd.com", "tags": ["Vendor Advisory"], "url": "https://www.amd.com/en/corporate/product-security"}], "sourceIdentifier": "psirt@amd.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-749"}], "source": "psirt@amd.com", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: unprivileged access to RAPL allows for side channel attacks", "id": "1897402", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1897402"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-266->CWE-276", "details": ["A potential vulnerability in the AMD extension to Linux \"hwmon\" service may allow an attacker to use the Linux-based Running Average Power Limit (RAPL) interface to show various side channel attacks. In line with industry partners, AMD has updated the RAPL interface to require privileged access.", "A flaw was found in the Linux kernel\u2019s implementation of RAPL for AMD CPUs. This flaw allows a user with a local account to use the RAPL interface to gain information on the CPU execution state, resulting in an information leak of sensitive data across security boundaries. The highest threat from this vulnerability is to confidentiality."], "name": "CVE-2020-12912", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-alt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:2", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise MRG 2"}], "public_date": "2020-11-12T17:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-12912\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-12912\nhttps://support.lenovo.com/lu/uk/product_security/LEN-50481\nhttps://www.amd.com/en/corporate/product-security\nhttps://www.cybersecurity-help.cz/vdb/SB2020111118"], "threat_severity": "Moderate"}