Intel Software Guard Extensions (SGX) Vulnerabilities - Lenovo Support US

Lenovo Security Advisory: LEN-21284

**Potential Impact:**Elevation of privilege, information disclosure

Severity: High

Scope of Impact: Industry-wide

**CVE Identifier:**CVE-2017-5736, CVE-2018-3626, CVE-2018-3639, CVE-2018-3640, CVE-2018-3691

Summary Description:

Intel has issued several advisories related to vulnerabilities in the Intel Software Guard Extensions (SGX) function.

Mitigation Strategy for Customers (what you should do to protect yourself):

Intel recommends updating system BIOS as described in Lenovo advisory LEN-22133 to the version (or newer) indicated for your model.

Intel recommends updating Intel SGX Platform Software to version 2.0.1 or later. Refer to the Product Impact section below for supported products.

Intel recommends updating Intel Online Connect. Refer to the Product Impact section below for supported products.

Intel recommends updating Fingerprint Reader software to the version indicated for your model in the Product Impact section below.

Intel also recommends that you update any other SGX applications you are using to incorporate the new SGX Software Development Kit (SDK) and Platform Software. Please contact your SGX application software supplier for these updates. If you wrote the SGX application, follow Intel’s guidance in INTEL-SA-00117, INTEL-SA-00106, and INTEL-SA-00135 to update your application.

Intel will perform a TCB recovery operation starting June 25, 2018. SGX applications that use the Intel Attestation Service and that have not been updated will begin receiving the “GROUP_OUT_OF_DATE” response on July 23, 2018.