A potential security vulnerability in some Intel® Processors may allow information disclosure. Intel is releasing firmware updates to address this potential vulnerability.
Description: Improper isolation of shared resources in some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Consult this list of affected products here.
Intel recommends that users of affected Intel® Processors update to the latest version firmware provided by the system manufacturer that addresses these issues. In addition, Intel will be releasing Intel® SGX SDK updates soon after public embargo is lifted.
Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode:
GitHub*: Public Github: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
For Intel® SGX customers, please note there is a known sighting that affects the patch installation recommendation for 3rd Generation Intel® Xeon® Scalable Processors, Codename Icelake-SP, further details and a workaround are available here.
Intel® SGX SDK Download Links:
Intel SGX TCB Recovery Plans:
To address this issue, an Intel SGX TCB Recovery is planned. Details can be found here.
Refer to Intel SGX Attestation Technical Details for more information on the Intel SGX TCB recovery process.
Further TCB Recovery Guidance for developers is available.
Intel would like to thank Pietro Borrello from Sapienza University of Rome, Andreas Kogler, Martin Schwarzl, Daniel Gruss from Graz University of Technology, Michael Schwarz from CISPA Helmholtz Center for Information Security and Moritz Lipp from Amazon Web Services for reporting this issue.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.