Intel revealed several recently discovered vulnerabilities affecting Intel Software Guard Extensions (SGX), and urged users to update their firmware. In total, as of February 14, in Intel Security Center 31 Bulletin was added Safety.
5 disadvantages associated with SGX were also eliminated. Two of them are associated with a potential increase in privileges, which can lead to disclosure of information, which is not permissible for a function that should ensure safe processing of confidential data inside encrypted areas of memory (enclaves).
- cve-2022- 38090 (CVSS: 6.0) affects a number of Intel processors, including the 3rd generation Xeon Scalable server chips. According to Intel, incorrect insulation of common resources in some Intel processors when using the Intel Software Guard extensions can allow the privileged user to potentially disclose information through local access.
- cve-2022-33196 (CVSS: 7.2) also affects the 3rd generation XEON Scalable chips, as well as The processors of Xeon D. Intel said she would release BIOS updates and firmware for touched chips. Regarding this vulnerability, Intel said that the default permits in some memory controller configurations for some Intel Xeon processors when using Intel Software Guard extensions can allow a privileged user to increase privileges through local access.
Intel also corrected the vulnerability in the SGX associated with the software development kit (SDK). Disadvantage cve-2022-26509 (CVSS (CVSS : 2.5) has a low danger level, but, according to Intel, can potentially lead to disclosure of information through local access due to improper verification of conditions in the software. The company said that it would release updates to soften the consequences.
Another dangerous vulnerability also affects the 3rd generation Xeon Scalable server chips and some Atom processors. At the same time, cve-2022-21216 can allow a privileged user to increase A privilege through access to a neighboring network due to insufficient details of access control during external management. Intel promised to release firmware updates with the correction of this error.