K97035296 : Microarchitectural Load Port Data Sampling - Information Leak (MLPDS) CVE-2018-12127

2019-05-1500:00:00

my.f5.com

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

33.3%

JSON

Security Advisory Description

Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2018-12127)

Impact

MDS vulnerabilities are exploitable by malicious non-privileged user space applications running on hosts or guests, or malicious guest operating systems. These require an attacker who can provide and run binary code of their choosing on the BIG-IP platform. CPU hardware may allow this unprivileged code running on a CPU core to infer the value of memory data belonging to other processes, virtual machines, or the hypervisor recently running on the same CPU core. The MDS vulnerability does not allow the attacker to control the memory target address; impact is purely sample based.

Currently BIG-IP does not check the integrity of user space applications. However, the attacker must have authorized access to the system in one of the privileged roles to even attempt to exploit the vulnerabilities. These conditions severely restrict the exposure risk of BIG-IP products.

For single-tenancy products, such as a standalone BIG-IP system, or multi-tenancy environments (Cloud/VE/vCMP) the risk is limited to a local untrusted application, or untrusted guest accessing memory outside its own user space on a sample basis.

The following F5 hardware platforms are vulnerable to CVE-2018-12127:

Note: Only one entry displays for platform models that may have several variants. For example, BIG-IP i2600 and BIG-IP i2800 are both included as BIG-IP i2x00 series.