Lucene search

K
intelIntel Security CenterINTEL:INTEL-SA-00289
HistoryMar 20, 2020 - 12:00 a.m.

Intel® Processors Voltage Settings Modification Advisory

2020-03-2000:00:00
Intel Security Center
www.intel.com
44

EPSS

0

Percentile

12.6%

Summary:

A potential security vulnerability in some Intel® Processors may allow escalation of privilege and/or information disclosure. Intel has released firmware updates to system manufacturers to mitigate this potential vulnerability

Vulnerability Details:

CVEID: CVE-2019-11157

Description: Improper conditions check in voltage settings for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege and/or information disclosure via local access.

CVSS Base Score: 7.9 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Affected Products:

Intel® 6th, 7th, 8th, 9th & 10th Generation Core™ Processors.

Intel® Xeon® Processor E3 v5 & v6 and Intel® Xeon® Processor E-2100 & E-2200 Families.

Product Family

|

Segment

|

CPUID

|

Platform ID

—|—|—|—

8th Generation Intel® Core™ Processor Family

|

Mobile

|

806 E9

|

10

8th Generation Intel® Core™ Processor Family

|

Mobile

|

806 EC

|

10

8th Generation Intel® Core™ Processor Family

|

Mobile

|

906EA

|

22

8th Generation Intel® Core™ Processor Family

|

Desktop

|

906EA

|

22

8th Generation Intel® Core™ Processor Family

|

Mobile

|

806EA

|

C0

8th Generation Intel® Core™ Processor Family

|

Desktop

|

906EB

|

2

Intel® Celeron® Processor G Series

|

Desktop

|

906EB

|

2

8th Generation Intel® Core™ Processor Family

|

Desktop

|

906EA

|

22

Intel® Xeon® Processor E Family

|

Server

|

906EA

|

22

Intel® Xeon® Processor E Family

|

workstation

|

906EA

|

22

Intel® Xeon® Processor E Family

|

AMT Server

|

906EA

|

22

Intel® Xeon® Processor E Family

|

Server

|

906EA

|

22

Intel® Xeon® Processor E Family

|

workstation

|

906EA

|

22

Intel® Xeon® Processor E Family

|

AMT Server

|

906EA

|

22

9th Generation Intel® Core™ Processor Family

|

Desktop

|

906ED

|

22

9th Generation Intel® Core™ Processor Family

|

Desktop

|

906ED

|

22

10th Generation Intel® Core™ Processor Family

|

Mobile

|

806EC

|

94

10th Generation Intel® Core™ Processor Family

|

Mobile

|

A0660

|

80

8th Generation Intel® Core™ Processor Family

|

Mobile

|

906 E9

|

2A

7th Generation Intel® Core™ Processor Family

|

Mobile

|

906 E9

|

2A

8th Generation Intel® Core™ Processor Family

|

Mobile

|

806EA

|

C0

7th Generation Intel® Core™ Processor Family

|

Desktop

|

906 E9

|

2A

7th Generation Intel® Core™ Processor Family

|

Mobile

|

806 E9

|

C0

7th Generation Intel® Core™ Processor Family

|

Mobile

|

806 E9

|

C0

Intel® Core™ X-series Processors

|

Desktop

|

906 E9

|

2A

Intel® Xeon® Processor E3 v6 Family

|

Mobile/server/Emb

|

906 E9

|

2A

7th Generation Intel® Core™ Processor Family

|

Mobile

|

806 E9

|

C0

6th Generation Intel® Core™ Processor Family

|

Mobile

|

506 E3

|

36

6th Generation Intel® Core™ Processor Family

|

Desktop

|

506 E3

|

36

6th Generation Intel® Core™ Processors

|

Mobile

|

406 E3

|

C0

6th Generation Intel® Core™ Processor Family

|

Mobile

|

406 E3

|

C0

Intel® Xeon® Processor E3 v5 Family

|

Server/Embed

|

506 E3

|

36

6th Generation Intel® Core™ Processors

|

Mobile

|

406 E3

|

C0

8th Generation Intel® Core™ Processors

|

Mobile

|

806EB

|

D0

8th Generation Intel® Core™ Processors

|

Mobile

|

806EC

|

80

Recommendations:

Intel recommends that users of the above** **Intel® Processors update to the latest BIOS version provided by the system manufacturer that addresses these issues.

Intel is conducting an SGX TCB recovery. Refer to Intel® SGX Attestation Technical Details for more information.

Acknowledgements:

Intel would like to thank the following reporters for finding and reporting the vulnerability to us via coordinated disclosure.

Intel thanks University of Birmingham: Kit Murdock, David Oswald, Flavio Garcia, Navjivan Pal; KU Leuven: Jo Van Bulck, Frank Piessens; TU Graz: Daniel Gruss.

Intel thanks Technische Universität Darmstadt: Zijo Kenjar, Tommaso Frassetto, Ahmed-Reza Sadeghi; University of California, Irvine: David Gens, Michael Franz.

Intel thanks University of Maryland: Gang Qu; Tsinghua University: Yongqiang Lyu, Dongsheng Wang; Pengfei Qiu.

Researchers from University of Birmingham, KU Leuven and TU Graz provided Intel with a Paper and Proof of Concept (POC) in June 2019 and researchers from Technische Universität Darmstadt and University of California provided a Paper and Proof of Concept (POC) in early August 2019. Intel subsequently confirmed each submission demonstrated this individually.

Researchers from University of Maryland and Tsinghua University provided Intel with a Paper in late August 2019 describing this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.