Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0325 INTEL-SA-00293 - Intel SGX Advisory 13 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Intel SGX SDK Operating System: Linux variants Windows Impact/Access: Increased Privileges -- Existing Account Access Privileged Data -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-14566 CVE-2019-14565 Member content until: Friday, December 13 2019 OVERVIEW Intel has discovered vulnerabilities in Intel SGX SDK for Linux and Windows. [1] IMPACT Intel has provided the folllowing information regarding the vulnerabilities: "Intel ID: INTEL-SA-00293 Advisory Category: Software Impact of vulnerability : Escalation of Privilege Denial of Service Information Disclosure Severity rating : HIGH Original release: 11/12/2019 Last revised: 11/12/2019" [1] "CVEID: CVE-2019-14566 Description: Insufficient input validation in Intel(R) SGX SDK versions shown below may allow an authenticated user to enable information disclosure, escalation of privilege or denial of service via local access. CVSS Base Score: 7.8 (High) CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVEID: CVE-2019-14565 Description: Insufficient initialization in Intel(R) SGX SDK versions shown below may allow an authenticated user to enable information disclosure,escalation of privilegeor denial of service via local access. CVSS Base Score: 7.0 (High) CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H" [1] MITIGATION Intel recommends: "Solution Developers should update their Intel SGX SDK to Windows version 2.5.101.3 (or later) or Linux version 2.7.101.3 (or later): o Windows developers can find latest SGX SDK here:[2] o Linux developers can find latest SGX SDK here:[3] Solution Developers should recompile their affected SGX application enclaves with the updated Intel SGX SDK, and re-issue the application. Solution Developers should also increase the Security Version Numbers (ISVSVN) of their updated SGX application enclaves. Developers implementing their own SDK should review the documentation and code changes issued with the Intel SGX SDK for Linux." [1] REFERENCES [1] INTEL-SA-00293 - Intel SGX Advisory https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00293.html [2] Intel SGX SDK update for Windows https://registrationcenter.intel.com/en/forms/productid=2614 [3] Intel SGX SDK update for Linux https://01.org/intel-software-guard-extensions/downloads AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXcuKsWaOgq3Tt24GAQiSFBAAlUWFYbXrI/FJFQP3lK+34bvyZn2rKhUP gMAQ5yilbtT9hro/QJuvupuJ3xjk9FqZmh7pL8XxMJ8V4X4GgJcwcfeU3RmY8XR2 gM8jW8x5CuXwCJRhrCz1Bm6k8g/NxaEUiQy6rBdMGeLZYywCR7vSYOBmNBjh4ybo +eEssobZpY6lHjkakmcRac9hBdbgrFIe9g975csdCeOtHs0XSyMwNrHb+W531MjI uwbRxJCL/AHPzRUq/pYnJqEnZgN+RMQdPdxtvTq8R1psmMjktS4B9Yb8mgvQQLkk jEnZflkMFo6TLebjgaZn+iAVL0k/05G1AiZ9bUL1srZWwDxCkkI/EDtoaOpPHBBZ LfpyL1FeVwIFovwMGr6L1lKMlLBhd+/r6JbASGBxQjqI8+HJFYNCmiLqQx+rC2+W kyDjnqGxUjE4IukL0Z5ZhsRmmL/TPZ+nx0MjfJc8bqWNJDDwhuzJrw7rS+FtLbmL aAsCyfMxxjk6YuMCs/CPMTvIBQPe21Tsp6PTNiI3tVTOMrE88s5k/4l7Dfc2e3ia Gxv0bOnKscCerTYf3/Z5GsyeqoUuRVT3wkq1t6PB1BzcKORMi1JqOYoHLJuaHuj1 79JPZNPEn70FlCORHks0+qLyJ0frElCIW9AE9bALD2V+VmfV/r7dnzebt/RVPTM2 nhSjejNtG6w= =KlRF -----END PGP SIGNATURE-----