A potential security vulnerability in some Intel® Thunderbolt™ controllers may allow information disclosure. Intel is releasing prescriptive guidance to mitigate this potential vulnerability.
Description: Reliance on untrusted inputs in a security decision in some Intel(R) Thunderbolt(TM) controllers may allow unauthenticated user to potentially enable information disclosure via physical access.
CVSS Base Score: 4.8 Medium
CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N
Thunderbolt™ 1: Intel® DSL3310, Intel® DSL3510, Intel® DSL4510, Intel® DSL4410.
Thunderbolt™ 2: Intel® DSL5520, Intel® DSL5320.
Thunderbolt™ 3: Intel® DSL6540, Intel® DSL6340, Intel® JHL6540, Intel® JHL6340, Intel® JHL6240, Intel® JHL7540, Intel® JHL7340.
Intel recommends enabling Intel® VT-d based DMA protection to mitigate this potential vulnerability for Intel® Thunderbolt™ 3 controllers.
For a complete Intel® VT-d based DMA protection solution, Intel recommends the following:
1. UEFI Secure Boot feature enabled.
2. Pre-boot Intel® VT-d based DMA protection enabled in UEFI.
3. BIOS Setup Menu protected by password.
4. Intel® VT-d based DMA Protection enabled in the OS.
5. Storage drive encryption enabled.
6. An OS or software capability to notify the user if these protections are disabled.
For an overview of how Intel® VT-d is used for Thunderbolt™ security, please refer to this link:
For other Operating Systems, refer to vendor documentation for enabling Kernel DMA protection.
For systems that do not implement Intel® VT-d based DMA protection, Intel recommends following good security practices, including the use of only trusted peripherals and preventing unauthorized physical access to computers.
Intel would like to thank Theo Markettos, Colin Rothwell, Allison Pearce, Simon W. Moore and Robert N.M. Watson from University of Cambridge, Brett F. Gutstein from University of Cambridge/Rice University and Peter G. Neumann from SRI International for reporting this issue.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.