feat: add CVE-2019-11135 (TAA) mitigation detection under BSD

2026-04-02 13:17:07 +02:00 · 2026-03-31 22:35:27 +02:00
parent 0628a3e565
commit 2b603c68ce
1 changed files with 51 additions and 4 deletions
--- a/src/vulns/CVE-2019-11135.sh
+++ b/src/vulns/CVE-2019-11135.sh
@@ -87,10 +87,57 @@ check_CVE_2019_11135_linux() {

 # CVE-2019-11135 TAA (TSX asynchronous abort) - BSD mitigation check
 check_CVE_2019_11135_bsd() {
-    if ! is_cpu_affected "$cve"; then
-        # override status & msg in case CPU is not vulnerable after all
-        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    local taa_enable taa_state mds_disable kernel_taa kernel_mds
+    pr_info_nol "* Kernel supports TAA mitigation (machdep.mitigations.taa.enable): "
+    taa_enable=$(sysctl -n machdep.mitigations.taa.enable 2>/dev/null)
+    if [ -n "$taa_enable" ]; then
+        kernel_taa=1
+        case "$taa_enable" in
+            0) pstatus yellow YES "disabled" ;;
+            1) pstatus green YES "TSX disabled via MSR" ;;
+            2) pstatus green YES "VERW mitigation" ;;
+            3) pstatus green YES "auto" ;;
+            *) pstatus yellow YES "unknown value: $taa_enable" ;;
+        esac
    else
-        pvulnstatus "$cve" UNK "your CPU is affected, but mitigation detection has not yet been implemented for BSD in this script"
+        kernel_taa=0
+        pstatus yellow NO
+    fi
+
+    pr_info_nol "* TAA mitigation state: "
+    taa_state=$(sysctl -n machdep.mitigations.taa.state 2>/dev/null)
+    if [ -n "$taa_state" ]; then
+        if echo "$taa_state" | grep -qi 'not.affected\|mitigation'; then
+            pstatus green YES "$taa_state"
+        else
+            pstatus yellow NO "$taa_state"
+        fi
+    else
+        # fallback: TAA is also mitigated by MDS VERW if enabled
+        mds_disable=$(sysctl -n hw.mds_disable 2>/dev/null)
+        if [ -z "$mds_disable" ]; then
+            mds_disable=$(sysctl -n machdep.mitigations.mds.disable 2>/dev/null)
+        fi
+        if [ -n "$mds_disable" ] && [ "$mds_disable" != 0 ]; then
+            kernel_mds=1
+            pstatus green YES "MDS VERW mitigation active (also covers TAA)"
+        else
+            kernel_mds=0
+            pstatus yellow NO "no TAA or MDS sysctl found"
+        fi
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ "$kernel_taa" = 1 ] && [ "$taa_enable" != 0 ]; then
+        pvulnstatus "$cve" OK "TAA mitigation is enabled"
+    elif [ "$kernel_mds" = 1 ]; then
+        pvulnstatus "$cve" OK "MDS VERW mitigation is active and also covers TAA"
+    elif [ "$kernel_taa" = 1 ] && [ "$taa_enable" = 0 ]; then
+        pvulnstatus "$cve" VULN "TAA mitigation is supported but disabled"
+        explain "To enable TAA mitigation, run \`sysctl machdep.mitigations.taa.enable=3' for auto mode.\n " \
+            "To make this persistent, add 'machdep.mitigations.taa.enable=3' to /etc/sysctl.conf."
+    else
+        pvulnstatus "$cve" VULN "your kernel doesn't support TAA mitigation, update it"
    fi
 }