After deprecation, Intel’s SGX technology is still messing with users’ security

Facepalm: Intel determined to desert the in-chip DRM resolution generally known as Software program Guard Extensions (SGX) for its newest shopper CPUs, however the expertise remains to be getting used and developed on server and cloud processors belonging to the Xeon line. Bugs and safety flaws are nonetheless there as effectively.

Simply in time for Microsoft’s Patch Tuesday for February 2023, Intel additionally launched 31 new security advisories for its processor tech on February 14. A few of these advisories are in regards to the SGX CPU extensions, with 5 completely different CVE-listed safety vulnerabilities present in Xeon processors, Core processors, and within the official Software program Growth Package (SDK).

Two of the aforementioned SGX vulnerabilities are associated to a possible privilege escalation that might disclose wise information, which is strictly the type of safety points the SGX extensions had been designed to defeat by using encrypted reminiscence areas generally known as “enclaves.”

The CVE-2022-38090 vulnerability has been categorised with a “medium” CVSS severity degree, and in response to Intel it may convey an “improper isolation of shared assets” in some CPUs when utilizing SGX enclaves for a possible info disclosure through native entry. The affected processors embody the ninth and tenth Gen Core traces (the newest shopper CPUs to offer help for SGX functions), third Gen Xeon Scalable and Xeon D server CPUs.

Moreover, the CVE-2022-33196 vulnerability is about “incorrect default permissions” in some reminiscence controller configurations, which may enable a privileged consumer to allow escalation of privilege through native entry. This explicit bug has a “excessive” severity score, and it solely impacts server-class processors belonging to the third Gen Xeon Scalable and Xeon D traces.

Different SGX-related bugs were found by safety researchers within the SGX official SDK, the place “improper circumstances test” (CVE-2022-26509) and “inadequate management circulation administration” (CVE-2022-26841) may result in a possible info disclosure through native entry. These two vulnerabilities have a “low” safety score, they usually have already been resolved with a brand new SDK software program replace for Home windows and Linux platforms.

As for the CPU-related SGX bugs, Intel recommends putting in the newest accessible firmware updates to keep away from potential points and strengthen system (or server) safety. Firmware updates are additionally essential for non-SGX-related vulnerabilities, as Intel’s February safety advisories present fixes for a high-rated escalation of privileges bug within the Intel Server Platform Companies (SPS) (CVE-2022-36348), a high-rated escalation of privilege flaw through adjoining community entry on third Gen Xeon Scalable processors and extra.