Intel November 2020 Microcode Update

Updated -

Overview

Red Hat is aware of several CPU hardware flaws that affect Intel CPU hardware microarchitecture and on-board components.

Red Hat provides updated microcode, developed by our microprocessor partners, as a customer convenience.  Please contact your hardware vendor to determine whether more recent BIOS/firmware updates are recommended, as additional improvements may be available.

Background

CVE-2020-8695: Information disclosure issue in Intel SGX via RAPL interface

A vulnerability was found in Intel's implementation of RAPL (Running Average Power Limit). An attacker with a local account could query the power management functionality to intelligently infer SGX enclave computation values by measuring power usage in the RAPL subsystem.

This creates a 'power analysis' side channel, where the attacker can use the RAPL values exported to the operating system as a method to analyse the side channel without physical access.

This issue requires a microcode update. There is a related kernel update which restricts permissions on the values exported to the operating system. The microcode fix would prevent access to infer SGX enclave power values, whereas the permissions fix would prevent other non SGX values from being inferred via the side channel.

This issue has been assigned CVE-2020-8695 and is rated Moderate.

See also:

CVE-2020-8696: Vector Register Leakage-Active

A flaw was found in the Intel Advanced Vector Extensions (AVX) implementation, where a local authenticated attacker with the ability to execute AVX instructions can gather the AVX register state from previous AVX executions. This vulnerability allows information disclosure of the AVX register state.

This issue requires a microcode update.

This issue has been assigned CVE-2020-8696 and is rated Low.

See also:

CVE-2020-8698: Fast forward store predictor

A flaw was found in the CPU microarchitecture where a local attacker is able to abuse a timing issue which may allow them to infer internal architectural state from previous executions on the CPU.

This issue requires a microcode update.

This issue has been assigned CVE-2020-8698 and is rated Moderate.

See also:

Diagnostic Tools

At this time there is no method of knowing if an attack has taken place.

Affected Products

Product Fixed in package Advisory link
Red Hat Enterprise Linux 8.3.0 (Z-stream) microcode_ctl-20200609-2.20201027.1.el8_3 RHSA-2020:5085
Red Hat Enterprise Linux 8.2.0 EUS microcode_ctl-20191115-4.20201112.1.el8_2 RHSA-2020:5185
Red Hat Enterprise Linux 8.1.0 EUS microcode_ctl-20190618-1.20201112.1.el8_1 RHSA-2020:5369
Red Hat Enterprise Linux 8.0.0 SAP extension microcode_ctl-220180807a-2.20201112.1.el8_0 RHSA-2020:5186
Red Hat Enterprise Linux 7.9 (Z-stream) microcode_ctl-2.1-73.2.el7_9 RHSA-2020:5083
Red Hat Enterprise Linux 7.7 EUS microcode_ctl-2.1-53.13.el7_7 RHSA-2020:5190
Red Hat Enterprise Linux 7.6 EUS microcode_ctl-2.1-47.18.el7_6 RHSA-2020:5181
Red Hat Enterprise Linux 7.4 AUS/E4S/TUS microcode_ctl-2.1-22.36.el7_4 RHSA-2020:5182
Red Hat Enterprise Linux 7.3 AUS/E4S/TUS microcode_ctl-2.1-16.37.el7_3 RHSA-2020:5183
Red Hat Enterprise Linux 7.2 AUS microcode_ctl-2.1-12.34.el7_2 RHSA-2020:5188
Red Hat Enterprise Linux 6.10 (Z-stream) (*) microcode_ctl-1.17-33.31.el6_10 RHSA-2020:5084
Red Hat Enterprise Linux 6.6 AUS (*) microcode_ctl-1.17-19.32.el6_6 RHSA-2020:5184
Red Hat Enterprise Linux 6.5 AUS (*) microcode_ctl-1.17-17.34.el6_5 RHSA-2020:5189
Red Hat Enterprise Linux 5 (*) No update is provided N/A

(*) Not affected by CVE-2020-8695.

Affected Configurations

Listed below are the CPU families affected by these flaws broken down by the flaw type. You must determine your CPU’s family to see if you are affected.  

Find your CPU family model

Find the CPU model provided by your system.  This is available in the /proc/cpuinfo file.

$ grep -E '^(cpu family|model|stepping|microcode)' /proc/cpuinfo | sort -u
cpu family  : 6
microcode   : 0x84
model       : 94
model name  : Intel(R) Core(TM) i7-6820HQ CPU @ 2.70GHz
stepping    : 3

(Note: on RHEL 6, microcode revision is in decimal; on RHEL 7 onwards, it is in hexadecimal with the respective prefix.)

Intel Microcode Updates that mitigate the issues

 Model No. (dec) Stepping (dec) Minimum microcode revision for mitigation (dec) Applicable vulnerabilities and errata Codename Model Name
0x4e (78) 0x03 (3) 0xe2 (226) (*) CVE-2020-8695, CVE-2020-8696 Skylake U/Y
Skylake U (2+3e)
6th Generation Intel® Core™  Processor Family
Intel® Core™ Processor i7-6500U, i7-6510U, i7-6600U
Intel® Core™ Processor i5-6200U, i5-6210U, i5-6300U, i5-6310U
Intel® Core™ Processor i3-6100U, i3-6110U
Intel® Pentium® Processor 4405U, 4415U
Intel® Celeron® Processor 3855U, 3865U, 3955U, 3965U
Intel® Core™ Processor I7-6560U, I7-6567U, I7-6650U, I7-6660U
Intel® Core™ Processor I5-6260U, I5-6267U, I5-6287U, I5-6360U
Intel® Core™ Processor i3-6167U
Intel® Core™ Processor m7-6Y75, m5-6Y54, m5-6Y57, m3-6Y30
Intel® Pentium® Processor 4405Y
0x55 (85) 0x03 (3) 0x1000159 (16777561) CVE-2020-8696 Skylake Server Intel® Xeon® Processor P-8124, P-8136
0x55 (85) 0x04 (4) 0x2006a08 (33581576) CVE-2020-8696 Skylake D
Bakerville
Skylake Server
Skylake W
Skylake X
Basin Falls
Intel® Xeon® Processor D-2123IT, D-2141I, D-2142IT, D-2143IT, D-2145NT, D-2146NT, D-2161I, D-2163IT, D-2166NT, D-2173IT, D-2177NT, D-2183IT, D-2187NT
Intel® Xeon® Bronze Processor 3104, 3106
Intel® Xeon® Gold Processor 5115, 5118, 5119T, 5120, 5120T, 5122, 6126, 6126F, 6126T, 6128, 6130, 6130F, 6130T, 6132, 6134, 6134M, 6136, 6138, 6138F, 6138T, 6140, 6140M, 6142, 6142F, 6142M, 6144, 6146, 6148, 6148F, 6150, 6152, 6154
Intel® Xeon® Platinum Processor 8153, 8156, 8158, 8160, 8160F, 8160M, 8160T, 8164, 8168, 8170, 8170M, 8176, 8176F, 8176M, 8180, 8180M
Intel® Xeon® Silver Processor 4108, 4109T, 4110, 4112, 4114, 4114T, 4116, 4116T
Intel® Xeon® Processor W-2123, W-2125, W-2133, W-2135, W-2145, W-2155, W-2195, W-2175
Intel® Core™ i9 79xxX, 78xxX
0x55 (85) 0x07 (7) 0x5003003 (83898371) CVE-2020-8696 Cascade Lake 2nd Generation Intel® Xeon® Scalable Processors
Intel® Xeon® Platinum Processor 8253, 8256, 8260, 8260L, 8260M, 8260Y, 8268, 8270, 8276, 8276L, 8276M, 8280, 8280L, 8280M, 9220, 9221, 9222, 9242, 9282
Intel® Xeon® Gold Processor 5215, 5215L, 5215M, 5215R, 5217, 5218, 5218B, 5218N, 5218T, 5220, 5220R, 5220S, 5220T, 5222, 6222V, 6226, 6230, 6230N, 6230T, 6234, 6238, 6238L, 6238M, 6238T, 6240, 6240L, 6240M, 6240Y, 6242, 6244, 6246, 6248, 6252, 6252N, 6254, 6262V
Intel® Xeon® Silver Processor 4208, 4208R, 4209T, 4210, 4210R, 4214, 4214C, 4214R, 4214Y, 4215, 4216, 4216R
Intel® Xeon® Bronze Processor 3204, 3206R
Intel® Xeon® Processor W-3275M, W-3275, W-3265M, W-3265, W-3245M, W-3245, W-3235, W-3225, W-3223, W-2295, W-2275, W-2265, W-2255, W-2245, W-2235, W-2225, W-2223
Intel® Core™ X-series Processor i9-10940X, i9-10920X, i9-10900X, i9-9960X, i9-9940X, i9-9920X, i9-9900X, i9-9820X, i9-9800X, i9-7960X, i9-7940X, i9-7920X, i9-7900X, i7-7820X, i7-7800X, i7-7740X, i7-7640X
0x5e (94) 0x03 (3) 0xe2 (226) (**) CVE-2020-8695, CVE-2020-8696 Skylake H 6th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-6700HQ, i7-6770HQ, i7-6820HK, i7-6820HQ, i7-6870HQ, i7-6920HQ, i7-6970HQ, i5-6300HQ, i5-6350HQ, i5-6440HQ, i3-6100H, i7-6700, i7-6700K, i7-6700T, i7-6700TE, i7-6820EQ, i7-6822EQ, i5-6400, i5-6400T, i5-6440EQ, i5-6442EQ, i5-6500, i5-6500T, i5-6500TE, i5-6600, i5-6600K, i5-6600T, i3-6100, i3-6100E, i3-6100T, i3-6100TE, i3-6102E, i3-6120, i3-6120T, i3-6300, i3-6300T, i3-6320, i3-6320T
Intel® Pentium® Processor G4400, G4400T, G4400TE, G4420, G4420T, G4500, G4500T, G4520, G4520T, G4540
Intel® Celeron® Processor G3900, G3900T, G3900TE, G3902E, G3920, G3920T, G3940
0x7a (122) 0x01 (1) 0x34 (52) (***) CVE-2020-8695 Gemini Lake Intel® Pentium® Processor Silver Series
Intel® Celeron® Processor J Series
Intel® Celeron® Processor N Series
Intel® Pentium® Silver Processor J5005, N5000
Intel® Celeron® Processor J4005, J4105, N4000, N4100
0x7a (122) 0x08 (8) 0x18 (24) CVE-2020-8695 Gemini Lake Intel® Celeron® Processor J Series
Intel® Celeron® Processor N Series
Intel® Pentium® Silver J5040, N5030 Processor
Intel® Celeron® Processor J4025, J4125, N4020, N4120
0x7e (126) 0x05 (5) 0xa0 (160) CVE-2020-8695, CVE-2020-8698 Ice Lake U
Ice Lake Y
10th Generation Intel® Coretm Processor Family
Intel® Core™ Processor i7-1060G7, i7-1065G7, i5-1030G4, i5-1030G7, i5-1035G1, i5-1035G4, i5-1035G7, i3-1000G1, i3-1000G4, i3-1005G1
0x8e (142) 0x09 (9) 0xde (222) CVE-2020-8695, CVE-2020-8696 Kaby Lake U
Kaby Lake U (2+3e)
Kaby Lake Y
7th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-7500U, i7-7510U, i7-7600U, i7-7560U, i7-7567U, i7-7660U, i7-7Y75, i5-7200U, i5-7210U, i5-7300U, i5-7500U, i5-7260U, i5-7267U, i5-7287U, i5-7360U, i5-7Y54, i5-7Y57, i3-7007U, i3-7100U, i3-7110U, i3-7130U, i3-7167U, M3-7Y30, M3-7Y30
Intel® Pentium® Processor 4415U, 4410Y, 4415Y
Intel® Celeron® Processor 3865U, 3965U, 3965Y
0x8e (142) 0x09 (9) 0xde (222) CVE-2020-8695, CVE-2020-8696 Amber Lake Y 8th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-8500Y, i5-8310Y, i5-8210Y, i5-8200Y, m3-8100Y
0x8e (142) 0x0a (10) 0xe0 (224) CVE-2020-8695, CVE-2020-8696 Coffee Lake U (4+3e)
Kaby Lake Refresh U (4+2)
8th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-8559U, i7-8550U, i7-8650U, i5-8259U, 8269U, i5-8250U, i5-8350U, i3-8109U, i3-7020U, i3-8130U
0x8e (142) 0x0b (11) 0xde (222) CVE-2020-8695, CVE-2020-8696 Whiskey Lake U 8th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-8565U, i7-8665U, i5-8365U, i5-8265U, i3-8145U
Intel® Core™ Processor 4205U, 5405U
0x8e (142) 0x0c (12) 0xde (222) CVE-2020-8695, CVE-2020-8696 Whiskey Lake U, Amber Lake Y, Comet Lake U (4+2) 8th Generation Intel® Core™ Processor Family
10th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i7-10510Y, i5-10310Y, i5-10210Y, i5-10110Y, i7-10510U, i7-8565U, i7-8665U, i5-10210U, i5-8365U, i5-8265U, Intel® Pentium® Gold Processor 6405U, Intel® Celeron® Processor 5305U
0x9e (158) 0x09 (9) 0xde (222) CVE-2020-8695, CVE-2020-8696 Kaby Lake G
Kaby Lake H
Kaby Lake S
Kaby Lake X
Kaby Lake Xeon E3
7th Generation Intel® Core™ Processor Family
8th Generation Intel® Core™ Processor Family
Intel® Core™ X-series Processors (i5-7640X, i7-7740X)
Intel® Core™ Processor i7-8705G, i7-8706G, i7-8709G, i7-8809G, i5-8305G, Intel® Core™ Processor i7-7700HQ, i7-7820EQ, i7-7820HK, i7-7820HQ, i7-7920HQ, i7-7700, i7-7700K, i7-7700T, i5-7300HQ, i5-7440EQ, i5-7440HQ, i5-7442EQ, i5-7400, i5-7400T, i5-7500, i5-7500T, i5-7600, i5-7600K, i5-7600T, i3-7100H, i3-7100E, i3-7101E, i3-7101TE, i3-7102E, i3-7120, i3-7120T, i3-7320T, i3-7340
Intel® Celeron® Processor G3930E, G3930TE
Intel® Xeon® Processor v6 E3-1535M, E3-1505M, E3-1505L, E3-1501L, E3-1501M, E3-1285, E3-1280, E3-1275, E3-1270, E3-1245, E3-1240, E3-1230, E3-1225, E3-1220
0x9e (158) 0x0a (10) 0xde (222) CVE-2020-8695, CVE-2020-8696 Coffee Lake H (6+2)
Coffee Lake S (6+2)
Coffee Lake S (6+2) Xeon E
Coffee Lake S (4+2) Xeon E
8th Generation Intel® Core™ Processor Family
Intel® Xeon® Processor E Family
Intel® Core™ Processor i9-8950HK, i7-8700K, i7-8700B, i7-8750H, i7-8850H, i7-8670, i7-8670T, i7-8700, i7-8700T, i5-8600K, i5-8650K, i5-8300H, i5-8400B, i5-8400H, i5-8500B, i5-8400, i5-8400T, i5-8420, i5-8420T, i5-8500 , i5-8500T, i5-8550, i5-8600, i5-8600T, i5-8650
Intel® Xeon® Processor E-2174G, E-2144G, E-2134, E-2124, E-2124G, E-2284G, E-2274G, E-2254ML, E-2254ME, E-2244G, E-2234, E-2224, E-2224G, E-2184G, E-2186G, E-2176G, E-2176M, E-2146G, E-2136, E-2126G, 2286G, E-2276ML, E-2276ME, E-2276M, E-2276G, E-2246G, E-2236, E-2226GE, E-2226G, E-2186M, E-2176M
0x9e (158) 0x0b (11) 0xde (222) CVE-2020-8695, CVE-2020-8696 Coffee Lake S (4+2) 8th Generation Intel® Core™ Processor Family
Intel® Pentium® Gold Processor Series
Intel® Celeron® Processor G Series
Intel® Core™ Processor i3-8000, i3-8000T, i3-8020, i3-8100, i3-8100, i3-8100H, i3-8100T, i3-8120, i3-8300, i3-8300T, i3-8350K
Intel® Pentium® Gold G5400, G5400T, G5400T, G5420, G5420T, G5420T, G5500, G5500T, G5600
Intel® Celeron® Processor G4900, G4900T, G4920
0x9e (158) 0x0c (12) 0xde (222) CVE-2020-8695, CVE-2020-8696 Coffee Lake S (8+2) 9th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i9-9900K, i9-9900KF, i7-9700K, i7-9700KF, i5-9600K, i5-9600KF, i5-9400, i5-9400F
0x9e (158) 0x0d (13) 0xde (222) CVE-2020-8695, CVE-2020-8696 Coffee Lake H (8+2)
Coffee Lake S (8+2)
Coffee Lake S (8+2) Xeon E
9th Generation Intel® Core™ Processor Family
Intel® Core™ Processor i9-9980HK, i9-9880H, i7-9850H, 9750HF, i5-9400H, 9300H
Intel® Xeon® Processor E-2288G, E-2286M, E-2278GEL, E-2278GE, E-2278G
0xa5 (165) 0x02 (2) 0xe0 (224) CVE-2020-8695 Comet Lake H 10th Generation Intel® Core™ Processor Family
0xa5 (165) 0x03 (3) 0xe0 (224) CVE-2020-8695 Comet Lake S (6+2) 10th Generation Intel® Core™ Processor Family
0xa5 (165) 0x05 (5) 0xe0 (224) CVE-2020-8695 Comet Lake S (10+2) 10th Generation Intel® Core™ Processor Family
0xa6 (166) 0x00 (0) 0xe0 (224) CVE-2020-8695 Comet Lake U (6+2) 10th Generation Intel® Core™ Processor Family
0xa6 (166) 0x01 (1) 0xe0 (224) CVE-2020-8695 Comet Lake U (6+2) v2 10th Generation Intel® Core™ Processor Family

(*) The update is disabled by default due to possible hangs. See /usr/share/doc/microcode_ctl/caveats/06-4e-03_readme for details.

(**) The update is disabled by default due to possible hangs. See /usr/share/doc/microcode_ctl/caveats/06-5e-03_readme for details.

(***) The update will be available at a later date.

Resolution

Red Hat customers running affected versions of the Red Hat products are strongly recommended to update them as soon as errata are available. Customers are urged to apply the appropriate updates immediately and reboot to mitigate this flaw correctly.

Acknowledgements

Red Hat thanks Intel for fixing these issues and making Red Hat aware.

Frequently Asked Questions

Q: Do I need to reboot for the changes to take effect?
A: There are two sections to this update. The microcode update does not require a system reboot to take effect. The kernel update includes a modification which changes the permissions on the exported RAPL device that would allow an attacker to abuse this flaw. The kernel will need to be updated and system rebooted for the changes in permissions to take effect.

Q: What if my CPU is not listed in the table?
A: Red Hat will continue to update these microcode packages as necessary. Please contact your hardware vendor to determine whether more recent BIOS/firmware updates are recommended because additional improvements may be available.

Additional Information

Red Hat can not guarantee the correctness of the above information as the microcode update is provided by upstream vendors.

Related Knowledge Base articles: