Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0315
INTEL-SA-00219 - Intel SGX with Intel Processor Graphics Update Advisory
13 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Intel Core processor
Intel Xeon Processor
Operating System: Linux variants
Windows
Impact/Access: Access Privileged Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-0117
Member content until: Friday, December 13 2019
OVERVIEW
Intel has discovered vulnerabilities in the following products:
o Intel Core processor
o Intel Xeon Processor [1]
IMPACT
Intel has provided the folllowing information regarding the
vulnerabilities:
"Intel ID: INTEL-SA-00219
Advisory Category: Firmware, Software
Impact of vulnerability : Information Disclosure
Severity rating : MEDIUM
Original release: 11/12/2019
Last revised: 11/12/2019" [1]
"CVEID: CVE-2019-0117
Description: Insufficient access control in protected memory
subsystem for Intel(R) SGX for 6th, 7th, 8th, 9th Generation
Intel(R) Core(TM) Processor Families; Intel(R) Xeon(R) Processor
E3-1500 v5, v6 Families; Intel(R) Xeon(R) E-2100 & E-2200 Processor
Families with Intel(R) Processor Graphics may allow a privileged
user to potentially enable information disclosure via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N" [1]
MITIGATION
Intel recommends:
"Impacted system users:
o Ensure the latest BIOS from your system provider and Intel SGX
platform software (PSW) is installed.
o Disable integrated processor graphics where they are not used
(usually server).
o Where integrated processor graphics are required, get updated
SGX application(s) from your SGX application provider(s).
Application Providers:
o Organize the code/data within enclave memory to avoid putting
sensitive materials in DWORD0 and DWORD1 of cache line. The
effectiveness of this mitigation is dependent on the ability for the
software to avoid the affected memory region. To assist the enclave
application providers to modify their code, Intel is releasing SGX
SDK update (Windows version 2.5.101.3, Linux version 2.7.101.3) with
new memory allocation APIs to avoid the affected memory region. More
details about the APIs can be found here .
o Increase the Security Version Number (ISVSVN) of the enclave
application to reflect that these modifications have been put in
place.
o For existing solutions which utilize Remote Attestation (IAS),
please refer to Intel SGX Attestation Technical Details to determine
whether you may need to implement changes to your SGX application
for SGX attestation service." [1]
REFERENCES
[1] INTEL-SA-00219 - Intel SGX with Intel Processor Graphics Update
Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00219.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIUAwUBXctxVmaOgq3Tt24GAQgpuA/40S18wEVPZQM8CEUBT535gBb2k8mlhXK0
lAUYLfzQcYwddb2+DG0nL7Nvp4rNs+TWydzjGeToHcoy4Q8lDbm9ednijhxudxEk
HYZQLqIqed7VP8dJ5eb/A6zqa6ppN6EAk2su8EQUbX5m3RITJaJQQHj8S5Tuii+9
THQmSL35/tH5HnmJsLFeoldfLRELWZwDGRbvEAKljzXUzu7G8L3d6gU/umzTXl7w
Yt8NjYIGYqpcotWbzoYJFPLtC67C63oYRXUC9xcboCwMsHsVDB674q57dpBLLKlz
Jk7nCePVFEzK7yCxul5bihopqd97QRBi5XEc7OEapce3NEoGhH6MBNc8O0JAxbnT
r0RHxbm0YsC4wY9mqeTr6ex6BbL00fwb1gc3EvU5TlLOol11cdxIagJEYJp9Q8cH
wvqG2r5Kw8tzZR0gm1V4uSXOZ9TmdAsSAqEqizrbrpSAa3eyNhjMQAeIpfE8J0g/
QBbcY3OsLQUpjVmdw85n9t78iVECl1SFIVfuf3iQ1V+1qrrtNgb6bNeajzfKsV6F
N+eR5P8MTw2yVDERPfQLtrP1CJgM4LJZieB5X5TxlpiBiovBtS2920wKaVbGwOo4
qXu5LhRFCJV0NyItaCo7qOff4ELyxygGpv3QtvnYxJYLHx/N1LRApWxGSqkxr3Z2
gQVyzmt5kw==
=lxzw
-----END PGP SIGNATURE-----