2023.1 IPU - Intel® Processor Advisory

Summary:

A potential security vulnerability in some Intel® Processors with Intel® Software Guard Extensions (SGX) may allow information disclosure.** **Intel is releasing firmware updates to address this potential vulnerability.

Vulnerability Details:

CVEID: CVE-2022-38090

Description: Improper isolation of shared resources in some Intel® Processors when using Intel® Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 6.0 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Affected Products:

Product Collection

|

Vertical Segment

|

CPU ID

|

Platform ID

—|—|—|—

10th Generation Intel® Core™ Processor Family

|

Mobile

|

706E5

|

80

Intel® Pentium® Processor Silver Series

Intel® Celeron® Processor J Series

Intel® Celeron® Processor N Series"

|

Desktop

Mobile

|

706A1

|

01

Intel® Celeron® Processor J Series

Intel® Celeron® Processor N Series

|

Desktop
Embedded Mobile

|

706A8

|

01

9th Generation Intel® Core Processor Family

|

Desktop

|

A0671

|

02

3rd Gen Intel® Xeon® Scalable processor family

|

Server

|

606A6

|

0x87

Intel® Xeon® D Processor

|

Server

|

606C1

|

01

Recommendations:

Intel recommends that users of affected Intel® Processors update to the latest version firmware provided by the system manufacturer that addresses these issues.

Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode:

GitHub*: Public Github: <https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files&gt;

This CVE requires a Microcode Security Version Number (SVN) update. To address this vulnerability, a SGX TCB recovery is planned, refer here for more information on the SGX TCB recovery process.

Attestation responses will change as a result of the TCB Recovery. Refer to the Intel SGX Attestation Technical Details documentation for further details.****

Acknowledgements:

The following issue was found internally by Intel employee. Intel would like to thank Joseph Nuzman for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.