Microsoft issued urgent security updates to fix vulnerabilities related to “Memory Mapped I/O Stale Data” in Intel CPUs. Intel had initially disclosed the Mapped I/O side-channel vulnerabilities on June 14th, 2022, warning that the flaws could enable processes running in one virtual machine to access data from another. The vulnerabilities are classified under the following CVEs: CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, and CVE-2022-21166. Microsoft also released ADV220002 as part of the June Patch Tuesday, which details the types of scenarios that these vulnerabilities could impact.
Microsoft’s advisory warns that an attacker exploiting these vulnerabilities could read privileged data across trust boundaries, which could occur in shared resource environments or cloud service configurations. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.
While mitigations have been applied for Windows Server 2019 and Windows Server 2022, no security updates were released, according to Microsoft’s advisory. Nevertheless, Microsoft has released a set of security updates for Windows 10, Windows 11, and Windows Server that address these vulnerabilities, which can be found as manual updates in the Microsoft Update Catalog. The updates include KB5019180, KB5019177, KB5019178, KB5019182, KB5019181, and KB5019106.
These updates are optional and manual because the mitigations may cause performance issues, and the vulnerabilities may not be fully resolved without disabling Intel Hyper-Threading Technology in certain scenarios. As a result, it is strongly recommended that both Intel’s and Microsoft’s advisories are read before applying these updates.
