Stale Data Read from Legacy xAPIC / CVE-2022-21233, CVE-2022-38090 / INTEL-SA-00657, INTEL-SA-00767

ID 739506
Updated 5/9/2023
Version Latest
Public

Key Takeaways

  • Intel recommends that operating systems (OSes) and virtual machine monitors (VMMs) enable x2APIC mode, which disables the xAPIC MMIO page and instead exposes APIC registers through model-specific registers (MSRs). This mitigates the issue.

  • Intel also provided an MCU in which prevents enclaves from reading stale data from the xAPIC page, mitigating this issue without requiring use of the updated interfaces provided by the Intel SGX SDK.

author-image

By

  

Disclosure date: 
2022-08-09
Published date: 
2022-08-09
Severity rating: 
6.0 Medium
Industry-wide severity ratings can be
found in the National Vulnerability Database


Related Content

Aliases

  • ÆPIC Leak

Description and Mitigation

The Advanced Programmable Interrupt Controller (APIC) is an integrated CPU component responsible for accepting, prioritizing, and dispatching interrupts to logical processors (LPs). The APIC can operate in xAPIC mode, also known as legacy mode, in which APIC configuration registers are exposed through a memory-mapped I/O (MMIO) page.

On some processors, incorrectly aligned reads from addresses in the xAPIC MMIO page could return stale data, which may correspond to data previously accessed by the same processor core that is reading the xAPIC page. Note that naturally aligned 8-byte loads are not affected by this behavior. Intel recommends that operating systems (OSes) and virtual machine monitors (VMMs) enable x2APIC mode, which disables the xAPIC MMIO page and instead exposes APIC registers through model-specific registers (MSRs). This mitigates the issue. Note that APIC virtualization is not affected; this behavior only applies to access to the physical xAPIC MMIO page.

Intel® Software Guard Extensions (Intel® SGX) includes a strong threat model that identifies all software running outside an Intel SGX enclave as untrusted, including the OS/VMM. As a result, Intel SGX enclaves cannot assume the OS/VMM will enable x2APIC mode. Intel has provided a microcode update (MCU) to mitigate potential exposure of secret stale data by clearing buffers when an LP exits an enclave. This mitigation assumes that Intel® Hyper-Threading Technology (Intel® HT Technology) is disabled, as documented in the Processor MMIO Stale Data vulnerabilities technical article.

Although this MCU mitigates potential exposure of data after an LP exits an enclave, enclave data could also be exposed when an enclave reads data from outside its own linear memory range (ELRANGE). This may occur when a malicious OS/VMM maps the xAPIC into an enclave-accessible page outside of ELRANGE. If the enclave unintentionally accesses the xAPIC in an attempt to read memory, it may receive stale enclave data instead of the data that it had attempted to read. The enclave may then unintentionally perform an operation that could allow an attacker to infer this data. 

Intel has provided an updated Intel SGX Software Development Kit (SDK) that helps mitigate potential exposure under the scenario described above. The updated SDK reads data from outside the enclave’s ELRANGE at a size and alignment of 8 bytes. It also provides new programming interfaces that can be used by developers to ensure that enclave application code reads data from outside the enclave’s ELRANGE at a minimum alignment of 8 bytes. Additionally, in February 2023, Intel provided an MCU which prevents enclaves from reading stale data from the xAPIC page under this scenario, mitigating this issue without requiring the use of the updated interfaces provided by the Intel SGX SDK. 

Intel is not aware of any impact to system management mode (SMM). Existing guidance for protecting SMM secrets continues to apply. Notably, when Intel HT Technology is enabled, SMM secrets to be protected against an OS adversary should be accessed only after LPs rendezvous. These secrets should not be accessed after the point where LPs may start leaving SMM.

Stale Data Read from legacy xAPIC has been assigned CVE-2022-21233 with a CVSS base score of 6.0 (Medium) CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N and CVE-2022-38090 with a CVSS base score of 6.0 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N .

Affected Processors

Refer to the consolidated Affected Processors table (2022 tab, Stale Data Read from xAPIC column) for a list of processors affected by this issue. Stale Data Read from legacy xAPIC against Intel SGX enclaves will be mitigated in hardware, starting in Intel® Xeon® 4th Gen Scalable processors, code named Sapphire Rapids, and future processors. 

The processors listed in Table 1 below, such as Intel® Xeon® E processors code named Rocket Lake, support Intel SGX. These processors are therefore affected by the Intel SGX issue described above and should load the latest MCU. Other product families that do not support Intel SGX, such as Intel® Xeon® W processors code named Rocket Lake, are not affected by the Intel SGX issue and should enable x2APIC mode.

Table 1: Current Affected Processors Supporting Intel SGX
Processor Stepping (all unless otherwise noted) Code Names / Microarchitectures Product Family Affected
06_6AH 4, 5, 6 Ice Lake Xeon-SP 3rd Gen Intel® Xeon® Scalable processor family Y
06_6CH 1 Ice Lake D Intel® Xeon® D Processor  Y
06_7AH 1 Gemini Lake  Intel® Pentium® Processor Silver Series
Intel® Celeron® Processor J Series
Intel® Celeron® Processor N Series
 
Y
06_7AH 8 Gemini Lake  Intel® Celeron® Processor J Series
Intel® Celeron® Processor N Series
 
Y
06_7EH 5 Ice Lake U,Y 10th Generation Intel® Core™ Processor Family Y
06_A7H 1 Rocket Lake Intel® Xeon® E-2300 processor family   Y

 

Software Security Guidance Home | Advisory Guidance | Technical Documentation | Best Practices | Resources