Read on Twitter
Congratulations Intel: a whole blog post about tons of issues¹ and the link to the "including CVE-2019-0169 which has a CVSS score of 9.6 (critical)" sends you to the home page. Still reserved at MITRE² (created Nov 2018!!).
_
¹ https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/
² http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0169
_
¹ https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/
² http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0169
As the only "up to 9.6" vulnerability the candidate is SA-00241¹ which is a collection of RCEs and others related to remote management (ME, AMT, CSME, DAL).
_
¹ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html
_
¹ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html
Far more interesting (we knew not to trust ME & friends) are:
* SA-0220 - SGX & TXT priv escalation - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00220.html
* SA-0240 - SMM & TXT priv escalation - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00240.html
* SA-0280 - IPU & UEFI - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00280.html
plus a couple of Ethernet card ones :)
* SA-0220 - SGX & TXT priv escalation - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00220.html
* SA-0240 - SMM & TXT priv escalation - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00240.html
* SA-0280 - IPU & UEFI - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00280.html
plus a couple of Ethernet card ones :)
OK, so reading through them…
* SA-0313 - BMC¹ firmware priv escalation (more remote management rubbish)
* SA-0287/288 - Wireless drivers & firmware
* SA-0210 is interesting - a machine check error with DoS potential https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00210.html
__
¹ Baseband Management Controller
* SA-0313 - BMC¹ firmware priv escalation (more remote management rubbish)
* SA-0287/288 - Wireless drivers & firmware
* SA-0210 is interesting - a machine check error with DoS potential https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00210.html
__
¹ Baseband Management Controller
The SA-0210 is interesting because it apparently causes a machine check error with “improper invalidation for page table updates”. I wonder if there is more to be milked from this one.
SA-0270 explains the Xen XSA-305 embargoed vulnerability¹…
__
¹ https://twitter.com/cynicalsecurity/status/1194342553111482368
SA-0270 explains the Xen XSA-305 embargoed vulnerability¹…
__
¹ https://twitter.com/cynicalsecurity/status/1194342553111482368
SA-0270 is a “TSX Asynchronous Abort” - this one makes me laugh because TSX is meant to be the “transactional extension” and, well, “asynchronous aborts happen” in transactional loads (sorry, ex-Tandem here… different era).
Moral: don’t let commodity vendors do mainframe...
Moral: don’t let commodity vendors do mainframe...
SA-0164 is another beauty: if you use TXT (“Trusted eXecution”, i.e. kills you reliably) and happen to have a graphics processor then you get “information disclosure” (i.e. you get to read protected memory)¹. This goes with 0219 which is same for SGX!
__
¹ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00164.html
__
¹ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00164.html
SA-0219¹ combined with 0164 is really a nice double whammy although you could argue that you would rarely run server-side “Intel Processor Graphics” unless you have an el-cheapo server with Xeon Esomething.
Now we get to the one I am really into…
__ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00219.html
Now we get to the one I am really into…
__ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00219.html
SA-0271¹ is about the voltage modulation interface being used for DoS. This is something I’ve been working on (not on Intel) for “reasons” for a long time, i.e. taking the processor out of spec and seeing what opens up. Because of the programmability
__
¹ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00271.html
__
¹ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00271.html
of many parameters which were once, at best, in the domain of the BIOS or other on-board firmware the possibility of “edge case spec” attacks is becoming a distinct possibility (and indeed, for things I’m working on, a reality).
I would call 0271 “a preview of things to come”…
I would call 0271 “a preview of things to come”…
We close this tweetstorm with the inevitable SMM issue, again linked with “Intel Processor Graphics” (someone forgot to isolate the GPU from the cores a tad better?).
SA-0254¹ is another “information disclosure” for processors with embedded GPUs.
__
¹ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00254.html
SA-0254¹ is another “information disclosure” for processors with embedded GPUs.
__
¹ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00254.html
Time for some classification of SAs:
* 0219, 0271, 0254, 0164, 0260 - there’s a problem in the isolation on processors with embedded GPUs
* 0241, 0313 - Intel remote management is bad
* 0271 - there’s an edge case issue in voltage :)
* 0255, 0242, 0287, 0288 - firmware hard
…
* 0219, 0271, 0254, 0164, 0260 - there’s a problem in the isolation on processors with embedded GPUs
* 0241, 0313 - Intel remote management is bad
* 0271 - there’s an edge case issue in voltage :)
* 0255, 0242, 0287, 0288 - firmware hard
…
(cont’d)
* 0220, 0240, 0293 - SGX and TXT, “enough firmware will clean us of these deeds”
* 0210 another edge case, I bet
* 0270 “Intel is not a mainframe company and we are removing the extension anyway”
EOF
* 0220, 0240, 0293 - SGX and TXT, “enough firmware will clean us of these deeds”
* 0210 another edge case, I bet
* 0270 “Intel is not a mainframe company and we are removing the extension anyway”
EOF
