2024.1 IPU - Intel® Atom® Processor Advisory

Summary:

A potential security vulnerability in some Intel® Atom® Processors may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability.

Vulnerability Details:

CVEID: CVE-2023-28746

Description: Information exposure through microarchitectural state after transient execution from some register files for some Intel® Atom® Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Affected Products:

A list of impacted products can be found here.

Recommendation:

Intel has worked with operating system vendors, equipment manufacturers, and other ecosystem partners to develop platform firmware and software updates that can help protect systems from these methods.

This includes the releasing of updated microcode to our customers and partners to enable software to mitigate this potential vulnerability. On affected processors, the processor will enumerate RFDS_CLEAR when this microcode is loaded. Intel may enumerate RFDS_NO on the products that are not affected by this issue. Some unaffected parts may only enumerate RFDS_NO when a microcode is update is loaded.

Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode:
GitHub*: Public Github: <https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files&gt;

For non Intel® Software Guard Extension (SGX) customers the microcode patch can be OS loadable.

For the mitigation to be effective for Intel® SGX enabled systems, Intel recommends updating the microcode located in platform flash designated by firmware interface table (FIT) entry point1.

Detailed steps on the microcode loading points can be found at:
<https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/loading-microcode-os.html&gt;

End users and systems administrators should check with their system manufacturers and system software vendors and apply any available updates as soon as practical.

To address this vulnerability, a SGX TCB recovery is planned, refer here for more information on the SGX TCB recovery process.

Attestation responses will change as a result of the TCB Recovery. Refer to the Intel SGX Attestation Technical Details documentation for further details.

Related Content:

• Technical Paper: Register file data sampling

Acknowledgements:

Intel would like to thank Intel employees Ashwini Gopinath, Jason Brandt, Alyssa Milburn, Wing Wong Shek, Matt Lindstrom for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.