CVE-2022-27499 The Intel(R) SGX SDK premature release may allow a privileged user to potentially enable information disclosure.

CVE-2022-27499 The Intel(R) SGX SDK premature release may allow a privileged user to potentially enable information disclosure.

Users should consider changing default password for privileged user “admin” on all servers.

Affected releases - SGX 1.0, 1.1, 2.0, 2.1. Fixed in - SGX 3.0, 3.1. Reported by - Intel. Description - Intel SGX is a hardware end-to - end data isolation mechanism in Intel(R) processors. It acts as a low - level virtualization mechanism and provides confidentiality and integrity of sensitive data. Intel SGX is enabled in hardware via a software implementation called the Intel(R) SGX Software Development Kit (SDK). It is expected that the software implementation of Intel SGX would be vulnerable to information disclosure. Reported issues may potentially allow a user with local access to potentially read data from another user’s process that is protected by Intel SGX.

Introduction

Intel SGX is a hardware end-to - end data isolation mechanism, which provides confidentiality and integrity of sensitive data. Intel SGX is enabled in hardware via a software implementation called the Intel(R) SGX Software Development Kit (SDK). It is expected that the software implementation of Intel SGX would be vulnerable to information disclosure.
Affected releases - SGX 1.0, 1.1, 2.0, 2.1. Fixed in - SGX 3.0, 3.1. Reported by - Intel. Description - Intel SGX is a hardware end-to-end data isolation mechanism in Intel® processors and provides confidentiality and integrity of sensitive data in privileged user “admin” on all servers without restrictions:
CVE-2022-27499 allows for an attacker to potentially read data from another user's process that is protected by Intel®SGX after gaining local access to the server

CVE-2022-27498

Affected releases - SGX 1.0, 1.1, 2.0, 2.1. Fixed in - SGX 3.0, 3.1. Reported by - Intel and Red Hat Product Security Team (PRS). Description - Intel SGX is a hardware end-to-end data isolation mechanism in Intel(R) processors It acts as a low-level virtualization mechanism and provides confidentiality and integrity of sensitive data--the ability to prevent users from accessing or modifying data via the processor’s memory bus without authorization from the CPU owner which is usually an OS kernel or hypervisor running on top of it but can also be another user process with rights to access the same physical memory bus e.g., admin account on a server that has been given privileged access to that server’s memory bus through its administrator privileges. The vulnerability allows an unprivileged user to modify the control word of a protected process without being able to subsequently read past it without breaking security with no other change than rebooting the system or restarting the application under protection of Intel SGX from where it was migrated too with no additional changes necessary such as recompiling/reloading code or changing any permissions on files/folders etc...

CVE-2022-27500

Users should consider changing default password for privileged user “admin” on all servers.
Affected releases - SGX 1.0, 1.1, 2.0, 2.1. Fixed in - SGX 3.0, 3.1. Reported by - Intel. Description - Intel SGX is a hardware end-to-end data isolation mechanism in Intel(R) processors. It acts as a low-level virtualization mechanism and provides confidentiality and integrity of sensitive data. Intel SGX is enabled in hardware via a software implementation called the Intel(R) SGX Software Development Kit (SDK). It is expected that the software implementation of Intel SGX would be vulnerable to information disclosure that could allow an attacker to read data from another user’s process that is protected by Intel SGX without first having privileged user access to affected systems or having local access to affected systems with the SDK installed on them unless multiple vulnerabilities are present simultaneously in their presence

Information disclosure

The Intel SGX SDK software is not designed to be secured against information disclosure. This was discovered by the Intel Security Research Group during research on Intel SGX and may be present in other software implementations. Information disclosure that could potentially allow an attacker with local access to read data from another user’s process that is protected by Intel SGX.

References

1. https://www.intel.com/content/www/us/en/security-center/advisories/intel-sa-00081.html
2. https://software.intel.com/sites/default/files/managed-downloads:/manage - sgx-sdk - 3159062 / Intel(R) SGX Software Development Kit, Version 3.166062
3. https://www.intel.com/content/www/us /en//security - center / advisories / intel-sa - 00812 .html
4 . http : // blog . fusionio . com
5 . https : // www . fusionio . com / blog / software - security
6 . https : // blog . fusionio . com / software - security

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe