Vulnerability CVE-2018-3615 - CERT Civis.Net

Vulnerability Name:

CVE-2018-3615 (CCN-148320)

Assigned:

2017-12-28

Published:

2018-08-14

Updated:

2020-08-24

Summary:

Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.

CVSS v3 Severity:

6.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N)
5.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): Low Availibility (A): None

7.9 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)
6.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Partial Availibility (A): None

5.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2018-3615

Source: CONFIRM
Type: Third Party Advisory
http://support.lenovo.com/us/en/solutions/LEN-24163

Source: CONFIRM
Type: Third Party Advisory
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180815-01-cpu-en

Source: CCN
Type: IBM Security Bulletin 0739855 (Cloud Private)
Multiple Security Vulnerabilities affect IBM Cloud Private Cloud Foundry (CVE-2018-3646, CVE-2018-3615, CVE-2018-3620)

Source: CCN
Type: IBM Security Bulletin 794637 (PureApplication Service)
Multiple Foreshadow Spectre Variant vulnerabilities affect IBM OS Image for Red Hat Linux Systems in IBM PureApplication System (CVE-2018-3615 CVE-2018-3620 CVE-2018-3646)

Source: CCN
Type: US-CERT VU#982149
Intel processors are vulnerable to level 1 terminal fault (L1TF) cache information disclosure via speculative execution side channel

Source: BID
Type: Third Party Advisory, VDB Entry
105080

Source: CCN
Type: BID-105080
Multiple Intel Processors Side Channel Attack Multiple Information Disclosure Vulnerabilities

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1041451

Source: CONFIRM
Type: UNKNOWN
https://cert-portal.siemens.com/productcert/pdf/ssa-254686.pdf

Source: CONFIRM
Type: UNKNOWN
https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf

Source: XF
Type: UNKNOWN
intel-cve20183615-info-disc(148320)

Source: MISC
Type: Technical Description, Third Party Advisory
https://foreshadowattack.eu/

Source: MLIST
Type: UNKNOWN
[debian-lts-announce] 20180916 [SECURITY] [DLA 1506-1] intel-microcode security update

Source: CONFIRM
Type: Third Party Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0008

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20180815-0001/

Source: CONFIRM
Type: Mitigation, Vendor Advisory
https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault

Source: CONFIRM
Type: Third Party Advisory
https://support.f5.com/csp/article/K35558453

Source: CONFIRM
Type: Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03874en_us

Source: CCN
Type: Cisco Security Advisory cisco-sa-20180814-cpusidechannel
CPU Side-Channel Information Disclosure Vulnerabilities: August 2018

Source: CISCO
Type: Third Party Advisory
20180814 CPU Side-Channel Information Disclosure Vulnerabilities: August 2018

Source: CCN
Type: IBM Security Bulletin 733897 (API Connect)
IBM API Connect is affected by Foreshadow Spectre Variant vulnerability (CVE-2018-3646 CVE-2018-3615 CVE-2018-3620)

Source: CCN
Type: INTEL-SA-00161
Q3 2018 Speculative Execution Side Channel Update

Source: CONFIRM
Type: Vendor Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html

Source: CERT-VN
Type: Third Party Advisory
VU#982149

Source: CONFIRM
Type: Third Party Advisory
https://www.synology.com/support/security/Synology_SA_18_45

Vulnerable Configuration:

Configuration 1:

cpe:/h:intel:core_i3:6006u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6098p:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6100:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6100e:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6100h:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6100t:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6100te:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6100u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6102e:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6157u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6167u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6300:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6300t:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:6320:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:650:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:655k:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:660:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:661:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:670:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:680:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6200u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6260u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6267u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6287u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6300hq:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6300u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6350hq:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6360u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6400:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6400t:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6402p:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6440eq:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6440hq:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6442eq:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6500:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6500t:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6500te:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6585r:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6600:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6600k:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6600t:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:6685r:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:610e:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:620le:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:620lm:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:620m:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:620ue:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:620um:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:640lm:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:640m:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:640um:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:660lm:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:660ue:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:660um:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:680um:*:*:*:*:*:*:*

Configuration 2:

cpe:/h:intel:core_i5:750:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:750s:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:760:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7y75:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:720qm:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:740qm:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7500u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7560u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7567u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7600u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7660u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7700:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7700hq:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7700k:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7700t:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7820eq:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7820hk:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7820hq:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:7920hq:*:*:*:*:*:*:*

Configuration 3:

cpe:/h:intel:core_i3:8100:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i3:8350k:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:8250u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:8350u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:8400:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:8600k:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:820qm:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:840qm:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:860:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:860s:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:870:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:870s:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:875k:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:880:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:8550u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:8650u:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:8700:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:8700k:*:*:*:*:*:*:*

Configuration 4:

cpe:/h:intel:xeon_e3:1515m_v5:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3:1535m_v5:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3:1545m_v5:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3:1558l_v5:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3:1565l_v5:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3:1575m_v5:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3:1578l_v5:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3:1585_v5:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3:1585l_v5:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1220_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1225_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1230_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1235l_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1240_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1240l_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1245_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1260l_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1268l_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1270_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1275_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1280_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1505l_v5:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1505m_v5:-:*:*:*:*:*:*:*

Configuration 5:

cpe:/h:intel:xeon_e3:1505m_v6:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3:1535m_v6:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1220_v6:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1225_v6:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1230_v6:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1240_v6:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1245_v6:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1270_v6:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1275_v6:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1280_v6:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1285_v6:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1501l_v6:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1501m_v6:-:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_e3_1505l_v6:-:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/h:intel:core_i3:*:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i5:*:*:*:*:*:*:*:*

OR cpe:/h:intel:core_i7:*:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_3400:*:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_7500:*:*:*:*:*:*:*:*

OR cpe:/h:intel:xeon_5600:*:*:*:*:*:*:*:*

AND

cpe:/a:ibm:api_connect:5.0.8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:api_connect:5.0.8.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.1.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:20183615000	V	CVE-2018-3615 on Ubuntu 18.04 LTS (bionic) - medium.	2018-08-14
oval:com.ubuntu.xenial:def:201836150000000	V	CVE-2018-3615 on Ubuntu 16.04 LTS (xenial) - medium.	2018-08-14
oval:com.ubuntu.trusty:def:20183615000	V	CVE-2018-3615 on Ubuntu 14.04 LTS (trusty) - medium.	2018-08-14
oval:com.ubuntu.xenial:def:20183615000	V	CVE-2018-3615 on Ubuntu 16.04 LTS (xenial) - medium.	2018-08-14
oval:com.ubuntu.bionic:def:201836150000000	V	CVE-2018-3615 on Ubuntu 18.04 LTS (bionic) - medium.	2018-08-14