Intel® SGX SDK Advisory

Summary:

A potential security vulnerability in Intel® Software Guard Extensions (SGX) Software Development Kit (SDK)applications compiled for SGX2-enabled processors may allow escalation of privilege. Intel is releasing software updates to mitigate this potential vulnerability.

Vulnerability Details:

CVEID: CVE-2021-0186

Description: Improper input validation in the Intel® SGX SDK applications compiled for SGX2 enabled processors may allow a privileged user to potentially escalation of privilege via local access.

CVSS Base Score: 8.2 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Products:

Intel SGX SDK for Windows v2.12 and earlier.

Intel SGX SDK for Linux v2.13 and earlier.

Intel® Processors supporting SGX2:

Code Name

|

Product Collection

—|—

Ice Lake Xeon-SP (HCC, XCC)

|

3rd Gen Intel® Xeon® Scalable processor family

Ice Lake

|

10th Generation Intel® Core™ Processor Family

Gemini Lake

|

Intel® Pentium® Processor Silver Series, Intel® Celeron® Processor J Series, Intel® Celeron® Processor N Series

Recommendations:

Intel recommends updating the Intel® SGX SDK to the versions listed below. Enclaves built with the new Intel® SGX SDK version should increment the value of their ISVSVN field.

Intel® SGX SDK for Windows to version 2.13 or later: <https://registrationcenter.intel.com/en/products/download/3407/&gt;

Intel® SGX SDK for Linux to version 2.14 or later: <https://01.org/intel-software-guard-extensions/downloads&gt;

Acknowledgements:

Intel would like to thank Jinhua Cui, National University of Defense Technology and National University of Singapore, Shweta Shinde, ETH Zurich , Zhijingcheng Yu, National University of Singapore, and Prateek Saxena, National University of Singapore for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.