Information disclosure and escalation of privilege via limited physical presence.
Source: HP, HP Product Security Response Team (PSRT)
Reported by: Intel
Intel platforms, starting with Skylake, support a USB 3-based debugging interface (a.k.a. Direct Connect Interface or DCI), which, if enabled, allows inspection/modification of hardware configuration and memory.
There is an existing UEFI setting restriction for DCI (Direct Connect Interface) in 5th and 6th generation Intel® Xeon® Processor E3 Family, Intel® Xeon® Scalable processors, and Intel® Xeon® Processor D Family, which allows a limited physical presence attacker to access platform secrets via debug interfaces.
This vulnerability potentially affects platforms using the following processors:
Intel® Xeon® Scalable processors
Intel® Xeon® Processor E3 v6 Family (Kaby Lake)
Intel® Xeon® Processor E3 v5 Family (Skylake)
Intel® Xeon® Processor D Family (Skylake-D)
Potentially affected products are not subject to this vulnerability if any of the following is true:
EFI Secure Boot is enabled: This prevents the loading of malicious option ROMs. This also assumes the DCI Control setup field is equally protected.
Boot Guard is enabled: Settings limit enabling of DCI capabilities.
User Control through a UEFI variable has been disconnected from DCI Policy AND the DCI Policy has been set to disabled: This eliminates the ability to enable the DCI.
HPI has reviewed its potentially affected systems and has determined that, as shipped, these systems have at least one of the mitigating settings listed above and are, therefore, not exposed to this issue. Specifically, DCI support has been removed, which means user control through a UEFI variable has been disconnected from DCI policy, and the DCI policy has been disabled. There are no user accessible settings to enable DCI.