Intel® Optane™ memory module update

Summary:

Information disclosure vulnerability in storage media in systems with Intel® Optane™ memory module with Whole Disk Encryption may allow an attacker to recover data via physical access.

Description:

Intel identified an issue where some systems configured with Whole Disk Encryption and an Intel® Optane™ memory module, may be at risk of data remaining unencrypted and potentially accessible under specific conditions.

Microsoft* BitLocker is required as the software-based Whole Disk Encryption solution on Intel® Optane™ memory enabled volumes.

Other software-based Whole Disk Encryption solutions are not supported.

Microsoft* BitLocker should be enabled before configuring the Intel® Optane™ memory module. Data migration to the Intel® Optane™ memory module takes place using the Intel® Rapid Storage Technology (Intel® RST) software.

Due to how Intel® RST software migrates data during the Intel® Optane™ memory enabling process, there is a small region on the non-Intel® Optane™ memory module that will be kept hidden from the host operating system. If Microsoft* BitLocker enablement occurs after configuring the Intel® Optane™ memory media device, this small region will not benefit from the Whole Disk Encryption and as a result, end-user data in the small region could possibly be at risk.

Affected products:

The issue potentially affects systems with Intel® Optane™ memory module and Microsoft* BitLocker enabled, based on:

• 7th Gen Intel® Core™ Desktop Processors

• 8th Gen Intel® Core™ Desktop Processors

• 8th Gen Intel® Core™ Mobile Processors

• Intel® Core™ X-Series Processors

• Intel® Xeon® E Processors

Affected configurations:

Intel® Optane™ Memory + Whole Disk Encryption

Configuration

|

Potentially affected by CVE-2018-3619

—|—

Intel® Optane™ Memory

|

SW based Whole Disk Encryption

Y

|

Y

|

Y

Y

|

N

|

N

N

|

Y

|

N

N

|

N

|

N

CVE ID

|

CVE Title

|

CVSSv3 severity

|

CVSSv3 Vectors

—|—|—|—

CVE-2018-3619

|

Information disclosure vulnerability in storage media in systems with Intel® Optane™ memory module with Whole Disk Encryption may allow an attacker to recover data via physical access

|

5.3 (Moderate)

|

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Recommendations:

1. Intel requires users who want Whole Disk Encryption with Intel® Optane™ memory to use Microsoft* BitLocker. The use of other software Whole Disk Encryption solutions is not supported.

2. Enable Microsoft* BitLocker before configuring the Intel® Optane™ memory device.

3. Intel requires following these steps to ensure the Intel® Optane™ memory with Microsoft* BitLocker is configured properly:

• Confirm Microsoft* BitLocker is ON. Check the Microsoft website for instructions: <https://social.technet.microsoft.com/wiki/contents/articles/969.how-to-determine-if-bitlocker-drive-encryption-is-enabled.aspx&gt;
• Follow these steps to ensure your system is properly configured:

1. Launch Intel® RST User Interface(UI)/Intel® Optane™ Memory UI

2. Disable Intel® Optane™ memory

3. Enable Intel® Optane™ memory again

§ Check the following link for detailed instructions to disable and enable Intel® Optane™ memory: <https://www.intel.com/content/dam/support/us/en/documents/memory-and-storage/optane-memory/intel-optane-memory-user-installation.pdf&gt;

§ Refer to section 2.1.4 for disabling Intel® Optane™ and section 2.1.3 for enabling Intel® Optane™ using Intel® Optane™ Memory UI

§ Refer to section 2.2.2 for disabling Intel® Optane™ and section 2.2.1 for enabling Intel® Optane™ using Intel® Optane™ Memory UI

Acknowledgements:

CVE-2018-3619 was discovered by Intel.