Unauthorized error injection in Intel(R) SGX or Intel(R) TDX for some Intel(R) Xeon(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access.
Weakness
An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Debian_linux | Debian | 11.0 (including) | 11.0 (including) |
| Debian_linux | Debian | 12.0 (including) | 12.0 (including) |
| Fedora | Fedoraproject | 38 (including) | 38 (including) |
| Red Hat Enterprise Linux 7 | RedHat | microcode_ctl-2:2.1-73.19.el7_9 | * |
| Red Hat Enterprise Linux 8 | RedHat | microcode_ctl-4:20220809-2.20230808.2.el8_8 | * |
| Red Hat Enterprise Linux 9 | RedHat | microcode_ctl-4:20220809-2.20230808.2.el9_2 | * |
| Intel-microcode | Ubuntu | bionic | * |
| Intel-microcode | Ubuntu | devel | * |
| Intel-microcode | Ubuntu | esm-infra-legacy/trusty | * |
| Intel-microcode | Ubuntu | esm-infra/bionic | * |
| Intel-microcode | Ubuntu | esm-infra/focal | * |
| Intel-microcode | Ubuntu | esm-infra/xenial | * |
| Intel-microcode | Ubuntu | focal | * |
| Intel-microcode | Ubuntu | jammy | * |
| Intel-microcode | Ubuntu | lunar | * |
| Intel-microcode | Ubuntu | mantic | * |
| Intel-microcode | Ubuntu | noble | * |
| Intel-microcode | Ubuntu | oracular | * |
| Intel-microcode | Ubuntu | trusty | * |
| Intel-microcode | Ubuntu | trusty/esm | * |
| Intel-microcode | Ubuntu | xenial | * |
Extended Description
To ensure the performance and functional reliability of certain components, hardware designers can implement hardware blocks for redundancy in the case that others fail. This redundant block can be prevented from performing as intended if the design allows unauthorized agents to inject errors into it. In this way, a path with injected errors may become unavailable to serve as a redundant channel. This may put the system into a degraded mode of operation which could be exploited by a subsequent attack.
Potential Mitigations
Related Attack Patterns
References
- http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00837.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00026.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HKREYYTWUY7ZDNIB2N6H5BUJ3LE5VZPE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OL7WI2TJCWSZIQP2RIOLWHOKLM25M44J/
- https://security.netapp.com/advisory/ntap-20230915-0003/
- https://www.debian.org/security/2023/dsa-5474
- http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00837.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00026.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HKREYYTWUY7ZDNIB2N6H5BUJ3LE5VZPE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OL7WI2TJCWSZIQP2RIOLWHOKLM25M44J/
- https://security.netapp.com/advisory/ntap-20230915-0003/
- https://www.debian.org/security/2023/dsa-5474