Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2327.4 3rd Generation Intel Xeon Scalable Processors Advisory 11 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Intel Processors Publisher: Intel Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2021-33117 Original Bulletin: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00586.html Revision History: November 11 2022: Vendor Update June 14 2022: Updated recommendations May 12 2022: Vendor updated recommendations May 12 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Intel ID: INTEL-SA-00586 Advisory Category: Firmware Impact of vulnerability : Information Disclosure Severity rating : MEDIUM Original release: 05/10/2022 Last revised: 10/19/2022 Summary: A potential security vulnerability in some 3 ^ rd Generation Intel Xeon Scalable Processors may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability. Vulnerability Details: CVEID: CVE-2021-33117 Description: Improper access control for some 3rd Generation Intel(R) Xeon(R) Scalable Processors before BIOS version MR7, may allow a local attacker to potentially enable information disclosure via local access. CVSS Base Score: 6.5 Medium CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Affected Products: +-----------------------------------------+----------+---------------+-------------+------------+ |Product Family |Processor |Vertical |CPU ID |Platform ID | | | |Segment | | | +-----------------------------------------+----------+---------------+-------------+------------+ |3 ^rd Generation Intel Xeon Scalable |06_6AH |Server |606AX |0x87 | |Processors | | | | | +-----------------------------------------+----------+---------------+-------------+------------+ Recommendations: Intel recommends updating affected 3 ^ rd Generation Intel Xeon Scalable Processors to BIOS version MR7 or later. Intel recommends the users to enable the technologies that are used for BIOS to detect early boot code unauthorized modification. Alternatively, Intel recommends following the steps to update the microcode patch located in platform flash designated by firmware interface table (FIT) entry type1. Details on the firmware interface table layout and types can be found at: https://software.intel.com/content/dam/develop/external/us/en/documents/ firmware-interface-table-bios-specification-r1p2p1.pdf Intel is releasing microcode updates, which are available at this GitHub* repository link: https://github.com/otcshare/Intel-Generic-Microcode/blob/main/NDA/repository/ server/production/m_87_606a6_0d000331.inc This CVE requires a Microcode Security Version Number (SVN) update. To address this issue, an Intel SGX TCB Recovery is planned. Details can be found here . Refer to Intel SGX Attestation Technical Details for more information on the Intel SGX TCB recovery process. Further TCB Recovery Guidance for developers is available. . Acknowledgements: This issue was found internally by Intel employees. Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available. Revision History Revision Date Description 1.0 05/10/2022 Initial Release 1.1 05/11/2022 Updated recommendations 1.2 06/13/2022 Updated recommendations 1.3 06/27/2022 Updated recommendations 1.4 10/19/2022 Updated SGX TCB Recovery plan Link - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY23o8ckNZI30y1K9AQgQZhAAvRqodd7OCcCRQ5C06A1nyXQV07jO1dwN gJmSZ0Faq9d0dBhtT3bHXHlPuloKPSUyhQFQSRGEUqUxNy6fru1pCWw70/6r0EPF ESzNmaWPHRh9gzuxgWQR2+sUW1Vv8lDHrCXwX+niyXyqTDlAto3mnm69FlPl+du0 h+j+mOA4PNiVXXHhkUL09WwdLPuQSs4/nkhq8I2fC+4VPLg4/kUxkAEZCxShgulV DCTUS+/f2vWrD6gxZn7dZ+9P/V++NudCiidaZlF1y3VFiTnyY+IuVZ9T1bcFG3cf 32IzJQFAZBGJd7vLi2sj8uE2yQwNV6er0Z+ai+0Y5Cx57YzVKXwU+yjDSINm2X5d iRW4r6Fu9F81y8U+cjCzcZKTM3anbpU7VgXbUW9gjFR56Pb5WuGVr2PVXOWSBhgb Srz90mZuctZ8prdhQNZvMcZ7xLwxXxxOitxF2KLzSRumnDiDhMPHSkOS6D0pPBkd 8NcGNydtMWAleMQaof/xZl5RCLxvmT15xIbIa/gRN1UtsSCh5PDH8hcC31biv+Rx N12+jSYfSyhLaJuUceXM+DcfuG+BPiIvO0lckumPhTmNOfde8Nwah/6RzUfIh/8h kk1pSkTmhITHj+5bEB2bOrOiOePCEtgnfadokD9qScF6lE4EpU8pWGatAf5InrW3 RpzDWuUIJ3M= =bUqw -----END PGP SIGNATURE-----