Intel SGX and Processor Side Channel Data Leakage Vulnerabilities - Lenovo Support NL

Lenovo Security Advisory: LEN-30553

Potential Impact: Information disclosure, escalation of privilege

Severity: Medium

Scope of Impact: Industry-wide

CVE Identifier: CVE-2020-0551, CVE-2020-0561

Summary Description:

Intel reported potential security vulnerabilities in some Intel Processors that may allow information disclosure.

CVE-2020-0551: Load Value Injection (LVI) in some Intel Processors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.

Intel reported the following potential security vulnerabilities in some Intel Processors and Intel Software Guard Extensions (SGX) SDK. These vulnerabilities affects some Lenovo drivers for SGX enabled fingerprint readers.

CVE-2020-0551: Load Value Injection (LVI) in some Intel Processors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.

CVE-2020-0561: Intel reported a potential security vulnerability in Intel Software Guard Extensions (SGX) SDK may allow a partial loss of integrity.

Mitigation Strategy for Customers (what you should do to protect yourself):

CVE-2020-0551:

SGX Enclaves

Intel recommends applying previous mitigations for L1 Terminal Fault (LEN-24163) and Microarchitectural Data Sampling (MDS) (LEN-26696) to reduce the impact of this vulnerability. Intel has released SGX Platform Software (PSW) and SDK updates to mitigate issues with SGX enclaves. Intel recommends updating affected drivers to the latest version as indicated for your model in the Product Impact section below.

The latest Windows SGX PSW and SDK can be found here: <https://registrationcenter.intel.com/en/forms/?productid=2614&gt;
The latest Linux SGX PSW and SDK can be found here: <https://01.org/intel-software-guard-extensions/downloads&gt;

Operating System (OS) and Virtual Machine Manager (VMM)

Intel recommends applying previous mitigations for Spectre (LEN-22133), TSX Asynchronous Abort (TAA) (LEN-27714), L1 Terminal Fault (LEN-24163), and MDS (LEN-26696) to significantly reduce the impact of this vulnerability.

Software Applications

Intel recommends applying previous mitigations for Microarchitectural Data Sampling (MDS) (LEN-26696) to reduce the impact of this vulnerability. Refer to Intel’s Deep Dive: Managed Runtime Speculative Execution Side Channel Mitigations for additional guidance.

CVE-2020-0561: Intel recommends updating affected drivers to the latest version as indicated for your model in the Product Impact section below.

Product Impact:

To download the version specified for your product below, follow these steps:

1. Navigate to your product’s Drivers & Software page by going to https://support.lenovo.com/. PRC users should go to <https://newsupport.lenovo.com.cn/&gt;
2. Search for your product by name or machine type.
3. Click Drivers & Software on the left menu panel.
4. Click on Manual Update to browse by Component type.
5. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.

Alternatively and if applicable for your product, you may use Lenovo Vantage or Windows Update to update to the latest available version. To confirm you are using the minimum fix version (or higher), go to Add/Remove Programs and check the version listed there.