search menu icon-carat-right cmu-wordmark

CERT Coordination Center

CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks

Vulnerability Note VU#180049

Original Release Date: 2018-05-21 | Last Revised: 2018-06-19

Overview

CPU hardware utilizing speculative execution may be vulnerable to cache timing side-channel analysis. Two vulnerabilities are identified, known as "Variant 3a" and "Variant 4".

Description

Speculative execution is a technique used by many modern processors to improve performance by predicting which instructions may be executed based on past execution history. An attacker with local user access may be able to utilize sequences of speculative execution to perform a cache timing side-channel analysis.

CWE-208: Information Exposure Through Timing Discrepancy

CVE-2018-3639 – Speculative Store Bypass (SSB) – also known as "Variant 4"

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may read an earlier value of the data. Subsequent speculative memory accesses cause allocations into the cache, which may allow a sequence of speculative loads to be used to perform timing side-channel attacks. In particular, if an attacker has control of a previously cached value, or the first store and load instructions are accesses onto the stack, an attacker may be able to control future speculative execution and access arbitrary privileged data by using less privileged code with timing side-channel analysis.

CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as "Variant 3a"

Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may return a speculative register value that is then used in subsequent speculative load instructions. These subsequence speculative loads cause allocations into the cache that may allow a sequence of speculative loads to be used to perform timing side-channel attacks. An attacker with local user access may be able to use timing side-channel analysis to determine the values stored in system registers.

For more information and technical details, please see the original Project Zero bug report, Intel's security advisory INTEL-SA-00115, AMD's whitepaper, and ARM's whitepaper.

These vulnerabilities have been noted in the media for their similarity to previously-disclosed vulnerabilities: CVE-2017-5753 (Variant 1, "Spectre"), CVE-2017-5715 (Variant 2, "Spectre"), CVE-2017-5754 (Variant 3, "Meltdown"). See VU#584653 for further information.

Impact

An attacker with local user access may be able to read arbitrary privileged data or system register values by utilizing cache timing side-channel analysis.

Solution

Update system software

Affected users should check with OEM and system software vendors and apply any available updates as soon as possible. Microcode updates and other system updates are expected to be available within the coming weeks. The Vendor Status links below provide further information.

Update your browser

Affected users should update to the latest version of any web browser in use. Most leading browser providers have recently deployed mitigations in their Managed Runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a modern web browser. These techniques would likewise increase the difficulty of exploiting a side channel in a browser based on SSB.

Vendor Information

180049
 
Affected   Unknown   Unaffected

AMD

Notified:  May 04, 2018 Updated:  May 23, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

AMD has released a whitepaper with further details.

Vendor References

https://www.amd.com/en/corporate/security-updates https://developer.amd.com/wp-content/resources/124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf

Addendum

AMD was reported by researchers as having been affected: https://bugs.chromium.org/p/project-zero/issues/detail?id=1528.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ARM Limited

Updated:  June 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

Apple

Notified:  May 04, 2018 Updated:  June 05, 2018

Statement Date:   June 01, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see Apple's statement for more information.

Vendor References

https://support.apple.com//HT208394

Cisco

Notified:  May 21, 2018 Updated:  May 22, 2018

Statement Date:   May 22, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please find more information at Cisco Security Advisory 20180521.

Vendor References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel

Dell

Notified:  May 21, 2018 Updated:  May 21, 2018

Statement Date:   May 21, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see Dell EMC's statement.

Vendor References

http://www.dell.com/support/speculative-store-bypass

Dell EMC

Notified:  May 21, 2018 Updated:  May 21, 2018

Statement Date:   May 21, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see Dell EMC's statement.

Vendor References

http://www.dell.com/support/speculative-store-bypass

Fortinet, Inc.

Notified:  May 21, 2018 Updated:  May 24, 2018

Statement Date:   May 23, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see Fortinet's advisory FG-IR-18-002 for more information.

Vendor References

https://fortiguard.com/psirt/FG-IR-18-002

HP Inc.

Notified:  May 21, 2018 Updated:  May 24, 2018

Statement Date:   May 24, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

HP has released an advisory with further details.

Vendor References

https://support.hp.com/us-en/document/c06001626

Hitachi

Notified:  May 21, 2018 Updated:  June 05, 2018

Statement Date:   June 02, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see more information at HIRT-PUB18001.

Vendor References

http://www.hitachi.com/hirt/publications/hirt-pub18001/

IBM, INC.

Notified:  May 21, 2018 Updated:  May 21, 2018

Statement Date:   May 21, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see IBM's statement for more details.

Vendor References

https://www.ibm.com/blogs/psirt/potential-impact-processors-power-family/

Intel

Notified:  May 04, 2018 Updated:  May 21, 2018

Statement Date:   May 21, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

See Intel security advisory SA-00115 for more details.

Vendor References

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Microsoft

Notified:  May 04, 2018 Updated:  May 21, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see Microsoft security advisories ADV180012 and ADV180013 for more details. Developers may also consult guidance.

Vendor References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180013 https://docs.microsoft.com/en-us/cpp/security/developer-guidance-speculative-execution

QUALCOMM Incorporated

Notified:  May 21, 2018 Updated:  May 21, 2018

Statement Date:   May 21, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc.

Notified:  May 04, 2018 Updated:  May 22, 2018

Statement Date:   May 22, 2018

Status

  Affected

Vendor Statement

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/ssbd

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://access.redhat.com/security/vulnerabilities/ssbd

SUSE Linux

Notified:  May 21, 2018 Updated:  May 22, 2018

Statement Date:   May 22, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see SUSE support document 7022937 for more details.

Vendor References

https://www.suse.com/support/kb/doc/?id=7022937

Synology

Notified:  May 21, 2018 Updated:  May 22, 2018

Statement Date:   May 22, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see Synology security advisory SA-18:23 for more information.

Vendor References

https://www.synology.com/en-global/support/security/Synology_SA_18_23

Ubuntu

Notified:  May 21, 2018 Updated:  May 21, 2018

Statement Date:   May 22, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see the Ubuntu Security Team KnowledgeBase article for more details.

Vendor References

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/Variant4

VMware

Notified:  May 04, 2018 Updated:  May 21, 2018

Statement Date:   May 21, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see VMware Article 54951 for further details.

Vendor References

https://kb.vmware.com/s/article/54951

Amazon

Notified:  May 04, 2018 Updated:  May 23, 2018

Statement Date:   May 22, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see Amazon's statement for more details

Vendor References

https://aws.amazon.com/security/security-bulletins/AWS-2018-015/

ASP Linux

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Acer

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

AirWatch

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Alpine Linux

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Android Open Source Project

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Arch Linux

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Arista Networks, Inc.

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

AsusTek Computer Inc.

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Barnes and Noble

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

BlackBerry

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Blunk Microsystems

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CMX Systems

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CentOS

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Citrix

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Contiki OS

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CoreOS

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Cricket Wireless

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Debian GNU/Linux

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Dell SecureWorks

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DesktopBSD

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DragonFly BSD Project

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

ENEA

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Express Logic

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

F5 Networks, Inc.

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fedora Project

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

FreeBSD Project

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fujitsu

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

GIGABYTE

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Geexbox

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Gentoo Linux

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Google

Notified:  May 04, 2018 Updated:  May 04, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

HTC

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

HardenedBSD

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hewlett Packard Enterprise

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

HomeSeer

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Huawei Technologies

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM Corporation (zseries)

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM Global Services

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM eServer

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Illumos

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Joyent

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Juniper Networks

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Kyocera Communications

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

LG Electronics

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Lenovo

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Linux Kernel

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Lynx Software Technologies

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Micro Focus

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

MontaVista Software, Inc.

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Mozilla

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NEC Corporation

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NVIDIA

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NetBSD

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nexenta

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nokia

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OmniTI

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenBSD

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenIndiana

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Oracle Corporation

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Pantech North America

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

QNX Software Systems Inc.

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Rocket RTOS

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Roku

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Samsung Mobile

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Slackware Linux Inc.

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SonicWall

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sony Corporation

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

The Open Group

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Tizen

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Toshiba America Information Systems, Inc.

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Trend Micro

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

TrueOS

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Turbolinux

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Unisys

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Xen

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Xiaomi

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Xilinx

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Zephyr Project

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

eCosCentric

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

m0n0wall

Notified:  May 21, 2018 Updated:  May 21, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

View all 100 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 4.4 AV:L/AC:M/Au:S/C:C/I:N/A:N
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 3.4 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Intel would like to acknowledge and thank Jann Horn of Google Project Zero (GPZ) and Ken Johnson of the Microsoft Security Response Center (MSRC) for independently reporting CVE-2018-3639. Intel would like to acknowledge and thank Zdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO AG ( https://sysgo.com ) for reporting CVE-2018-3640. Intel would also like to acknowledge and thank Innokentiy Sennovskiy from BiZone LLC (bi.zone).

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2018-3639, CVE-2018-3640
Date Public: 2018-05-21
Date First Published: 2018-05-21
Date Last Updated: 2018-06-19 15:17 UTC
Document Revision: 95

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.