Intel® SGX Linux Kernel Drivers Advisory

Summary:

A potential security vulnerability in Intel® SGX Linux kernel drivers may allow denial of service. Intel is working with the Linux kernel maintainers to create a mitigation.

Vulnerability Details:

CVEID: CVE-2021-33135

Description: Uncontrolled resource consumption in the Linux kernel drivers for Intel® SGX may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 3.2 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L****

Affected Products:

Intel® SGX Linux kernel driver from Intel version 2.14 and before.

Linux kernel driver for Intel® SGX from upstream/kernel.org.

Recommendations:

Intel® SGX Linux kernel driver mitigation guidance for users of the out of tree SGX Data Center Attestation Primitives (DCAP) drivers available at <https://download.01.org/intel-sgx/sgx-dcap/&gt;:

• Require specific user group to access /dev/sgx_enclave, the device node for loading SGX enclaves.
  • In newer distribution releases with systemd v248 or later, this is enforced by default using the predefined system group “sgx”.
  • Known distro versions with systemd version 248 or later include Ubuntu 21.10, 22.04, SUSE 15.4. Users may check systemd version using command “systemctl –version” and/or check existence of “sgx” group using command “getent group sgx”.
• Partition “sgx” enclave apps in separate virtual machines as if they are from different tenants in cloud service provider environment.
• Other general practices such as running applications with least privileges, only allowing known applications to be installed are recommended.

Acknowledgements:

This issue was found internally by Intel employees.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.