2024.1 IPU OOB - Intel® Xeon® D Processor Advisory

2024-03-1200:00:00

Intel Security Center

www.intel.com

intel xeon d

software guard extensions

information disclosure

cve-2023-43490

microcode update

system manufacturer

github

os loadable

sgx tcb recovery

firmware interface table

system administrators

coordinated disclosure

6.4 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.3%

JSON

Summary:

A potential security vulnerability in some Intel® Xeon® D Processors with Intel® Software Guard Extensions (SGX) may allow information disclosure. Intel is releasing microcode updates to mitigate this potential vulnerability.

Vulnerability Details:

CVEID: CVE-2023-43490

Description: Incorrect calculation in microcode keying mechanism for some Intel® Xeon® D Processors with Intel® SGX may allow a privileged user to potentially enable information disclosure via local access.

CVSS Base Score: 5.3 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

Affected Products:

Product Collection

Vertical Segment

CPU ID

Platform ID

—|—|—|—

Intel® Xeon® D Processor

Embedded

606C1

Recommendation:

Intel recommends that users of affected Intel® Processors update to the latest version firmware provided by the system manufacturer that addresses these issues.

Intel has released microcode updates for the affected Intel® Processors that are currently supported on the public github repository. Please see details below on access to the microcode:

GitHub*: Public Github: <https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files>

For non Intel® Software Guard Extension (SGX) customers the microcode patch can be OS loadable.

Detailed steps on the microcode loading points can be found at:

<https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/loading-microcode-os.html>

For the mitigation to be effective for Intel® SGX enabled systems, Intel recommends updating the microcode located in platform flash designated by firmware interface table (FIT) entry point1.

To address this vulnerability, a SGX TCB recovery is planned, refer here for more information on the SGX TCB recovery process.

End users and systems administrators should check with their system manufacturers and system software vendors and apply any available updates as soon as practical.

Attestation responses will change as a result of the TCB Recovery. Refer to the Intel SGX Attestation Technical Details documentation for further details.

Acknowledgements:

Intel would like to thank Intel employees for reporting this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.