Operating System:

[WIN][LINUX]

Published:

13 November 2019

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ASB-2019.0325 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0325
                    INTEL-SA-00293 - Intel SGX Advisory
                             13 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Intel SGX SDK
Operating System:     Linux variants
                      Windows
Impact/Access:        Increased Privileges   -- Existing Account
                      Access Privileged Data -- Existing Account
                      Denial of Service      -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-14566 CVE-2019-14565 
Member content until: Friday, December 13 2019

OVERVIEW

        Intel has discovered vulnerabilities in Intel SGX SDK for Linux and
        Windows. [1]


IMPACT

        Intel has provided the folllowing information regarding the 
        vulnerabilities:
        
        "Intel ID:                INTEL-SA-00293
        Advisory Category:        Software
        Impact of vulnerability : Escalation of Privilege
                                  Denial of Service
                                  Information Disclosure
        Severity rating :         HIGH
        Original release:         11/12/2019
        Last revised:             11/12/2019" [1]
        
        "CVEID: CVE-2019-14566
        Description: Insufficient input validation in Intel(R) SGX SDK 
        versions shown below may allow an authenticated user to enable 
        information disclosure, escalation of privilege or denial of service
        via local access.
        CVSS Base Score: 7.8 (High)
        CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
        
        CVEID: CVE-2019-14565
        Description: Insufficient initialization in Intel(R) SGX SDK 
        versions shown below may allow an authenticated user to enable 
        information disclosure,escalation of privilegeor denial of service 
        via local access.
        CVSS Base Score: 7.0 (High)
        CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H" [1]


MITIGATION

        Intel recommends:
        
        "Solution Developers should update their Intel SGX SDK to Windows 
        version 2.5.101.3 (or later) or Linux version 2.7.101.3 (or later):
        
          o Windows developers can find latest SGX SDK here:[2] 
        
          o Linux developers can find latest SGX SDK here:[3]
        
        Solution Developers should recompile their affected SGX application
        enclaves with the updated Intel SGX SDK, and re-issue the 
        application. Solution Developers should also increase the Security 
        Version Numbers (ISVSVN) of their updated SGX application enclaves.
        
        Developers implementing their own SDK should review the 
        documentation and code changes issued with the Intel SGX SDK for 
        Linux." [1]


REFERENCES

        [1] INTEL-SA-00293 - Intel SGX Advisory
            https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00293.html

        [2] Intel SGX SDK update for Windows
            https://registrationcenter.intel.com/en/forms/productid=2614

        [3] Intel SGX SDK update for Linux
            https://01.org/intel-software-guard-extensions/downloads

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXcuKsWaOgq3Tt24GAQiSFBAAlUWFYbXrI/FJFQP3lK+34bvyZn2rKhUP
gMAQ5yilbtT9hro/QJuvupuJ3xjk9FqZmh7pL8XxMJ8V4X4GgJcwcfeU3RmY8XR2
gM8jW8x5CuXwCJRhrCz1Bm6k8g/NxaEUiQy6rBdMGeLZYywCR7vSYOBmNBjh4ybo
+eEssobZpY6lHjkakmcRac9hBdbgrFIe9g975csdCeOtHs0XSyMwNrHb+W531MjI
uwbRxJCL/AHPzRUq/pYnJqEnZgN+RMQdPdxtvTq8R1psmMjktS4B9Yb8mgvQQLkk
jEnZflkMFo6TLebjgaZn+iAVL0k/05G1AiZ9bUL1srZWwDxCkkI/EDtoaOpPHBBZ
LfpyL1FeVwIFovwMGr6L1lKMlLBhd+/r6JbASGBxQjqI8+HJFYNCmiLqQx+rC2+W
kyDjnqGxUjE4IukL0Z5ZhsRmmL/TPZ+nx0MjfJc8bqWNJDDwhuzJrw7rS+FtLbmL
aAsCyfMxxjk6YuMCs/CPMTvIBQPe21Tsp6PTNiI3tVTOMrE88s5k/4l7Dfc2e3ia
Gxv0bOnKscCerTYf3/Z5GsyeqoUuRVT3wkq1t6PB1BzcKORMi1JqOYoHLJuaHuj1
79JPZNPEn70FlCORHks0+qLyJ0frElCIW9AE9bALD2V+VmfV/r7dnzebt/RVPTM2
nhSjejNtG6w=
=KlRF
-----END PGP SIGNATURE-----