Facepalm: Intel decided to abandon the in-chip DRM solution known as Software Guard Extensions (SGX) for its latest client CPUs, but the technology is still being used and developed on server and cloud processors belonging to the Xeon line. Bugs and security flaws are still there as well.
Just in time for Microsoft’s Patch Tuesday for February 2023, Intel also released 31 new security advisories for its processor tech on February 14. Some of those advisories are about the SGX CPU extensions, with five different CVE-listed security vulnerabilities found in Xeon processors, Core processors, and in the official Software Development Kit (SDK).
Two of the aforementioned SGX vulnerabilities are related to a potential privilege escalation that could disclose sensible data, which is exactly the kind of security issues the SGX extensions were designed to defeat by employing encrypted memory areas known as “enclaves.”
The CVE-2022-38090 vulnerability has been classified with a “medium” CVSS severity level, and according to Intel it could bring an “improper isolation of shared resources” in some CPUs when using SGX enclaves for a potential information disclosure via local access. The affected processors include the 9th and 10th Gen Core lines (the latest client CPUs to provide support for SGX applications), 3rd Gen Xeon Scalable and Xeon D server CPUs.
Furthermore, the CVE-2022-33196 vulnerability is about “incorrect default permissions” in some memory controller configurations, which could allow a privileged user to enable escalation of privilege via local access. This particular bug has a “high” severity rating, and it only affects server-class processors belonging to the 3rd Gen Xeon Scalable and Xeon D lines.
Other SGX-related bugs were found by security researchers in the SGX official SDK, where “improper conditions check” (CVE-2022-26509) and “insufficient control flow management” (CVE-2022-26841) could lead to a potential information disclosure via local access. These two vulnerabilities have a “low” security rating, and they have already been resolved with a new SDK software update for Windows and Linux platforms.
As for the CPU-related SGX bugs, Intel recommends installing the latest available firmware updates to avoid potential issues and strengthen system (or server) security. Firmware updates are also important for non-SGX-related vulnerabilities, as Intel’s February security advisories provide fixes for a high-rated escalation of privileges bug in the Intel Server Platform Services (SPS) (CVE-2022-36348), a high-rated escalation of privilege flaw via adjacent network access on 3rd Gen Xeon Scalable processors and more.