A potential security vulnerability in some Intel® Processors with Intel® Software Guard Extensions (SGX) may allow information disclosure.** **Intel is releasing firmware updates to address this potential vulnerability.
CVEID: CVE-2022-38090
Description: Improper isolation of shared resources in some Intel® Processors when using Intel® Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Product Collection
|
Vertical Segment
|
CPU ID
|
Platform ID
—|—|—|—
10th Generation Intel® Core™ Processor Family
|
Mobile
|
706E5
|
80
Intel® Pentium® Processor Silver Series
Intel® Celeron® Processor J Series
Intel® Celeron® Processor N Series"
|
Desktop
Mobile
|
706A1
|
01
Intel® Celeron® Processor J Series
Intel® Celeron® Processor N Series
|
Desktop
Embedded Mobile
|
706A8
|
01
9th Generation Intel® Core Processor Family
|
Desktop
|
A0671
|
02
3rd Gen Intel® Xeon® Scalable processor family
|
Server
|
606A6
|
0x87
Intel® Xeon® D Processor
|
Server
|
606C1
|
01
Intel recommends that users of affected Intel® Processors update to the latest version firmware provided by the system manufacturer that addresses these issues.
Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode:
GitHub*: Public Github: <https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files>
This CVE requires a Microcode Security Version Number (SVN) update. To address this vulnerability, a SGX TCB recovery is planned, refer here for more information on the SGX TCB recovery process.
Attestation responses will change as a result of the TCB Recovery. Refer to the Intel SGX Attestation Technical Details documentation for further details.****
The following issue was found internally by Intel employee. Intel would like to thank Joseph Nuzman for reporting this issue.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.