4.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:N/A:C
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
15.7%
Severity: Medium
Date : 2020-11-10
CVE-ID : CVE-2020-8694 CVE-2020-25704
Package : linux-hardened
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-1269
The package linux-hardened before version 5.9.8.a-1 is vulnerable to
multiple issues including denial of service and information disclosure.
Upgrade to 5.9.8.a-1.
The problems have been fixed upstream in version 5.9.8.a.
A temporary measure would be to remove the ability for non-root users
to read the current RAPL energy reporting metrics.
This can be done with the command:
This mitigation will only work on the current boot and will need to be
reapplied at each system boot to remain in effect.
An information disclosure flaw was found in the Linux kernel’s Intel
Running Average Power Limit (RAPL) implementation. A local non-
privileged attacker could infer secrets by measuring power usage and
also infer private data by observing the power usage of calculations
performed on the data.
A memory leak has been found in the perf_event_parse_addr_filter
function of Linux before 5.9.7, leading to a denial of service.
A local attacker might be able to exhaust the memory available on the
system, causing a denial of service, or access sensitive information by
observing the power usage.
https://www.openwall.com/lists/oss-security/2020/11/09/1
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=7bdb157cdebbf95a1cd94ed2e01b338714075d00
https://www.openwall.com/lists/oss-security/2020/11/10/5
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=949dd0104c496fa7c14991a23c03c62e44637e71
https://platypusattack.com/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
https://github.com/anthraxx/linux-hardened/commit/b72aaa9506b38e68f3476a642d0e42b3071f82bb
https://security.archlinux.org/CVE-2020-8694
https://security.archlinux.org/CVE-2020-25704
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | linux-hardened | < 5.9.8.a-1 | UNKNOWN |
git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=7bdb157cdebbf95a1cd94ed2e01b338714075d00
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=949dd0104c496fa7c14991a23c03c62e44637e71
github.com/anthraxx/linux-hardened/commit/b72aaa9506b38e68f3476a642d0e42b3071f82bb
platypusattack.com/
security.archlinux.org/AVG-1269
security.archlinux.org/CVE-2020-25704
security.archlinux.org/CVE-2020-8694
www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
www.openwall.com/lists/oss-security/2020/11/09/1
www.openwall.com/lists/oss-security/2020/11/10/5
4.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:N/I:N/A:C
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
15.7%