Summary:

A potential security vulnerability in some Intel® Processors may allow escalation of privilege and/or information disclosure. Intel has released firmware updates to system manufacturers to mitigate this potential vulnerability



Vulnerability Details:

CVEID: CVE-2019-11157

Description: Improper conditions check in voltage settings for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege and/or information disclosure via local access.

CVSS Base Score: 7.9 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Affected Products:

Intel® 6th, 7th, 8th, 9th & 10th Generation Core™ Processors.

Intel® Xeon® Processor E3 v5 & v6 and Intel® Xeon® Processor E-2100 & E-2200 Families.

Product Family Segment CPUID Platform ID 8th Generation Intel® Core™ Processor Family Mobile 806 E9 10 8th Generation Intel® Core™ Processor Family Mobile 806 EC 10 8th Generation Intel® Core™ Processor Family Mobile 906EA 22 8th Generation Intel® Core™ Processor Family Desktop 906EA 22 8th Generation Intel® Core™ Processor Family Mobile 806EA C0 8th Generation Intel® Core™ Processor Family Desktop 906EB 2 Intel® Celeron® Processor G Series Desktop 906EB 2 8th Generation Intel® Core™ Processor Family Desktop 906EA 22 Intel® Xeon® Processor E Family Server 906EA 22 Intel® Xeon® Processor E Family workstation 906EA 22 Intel® Xeon® Processor E Family AMT Server 906EA 22 Intel® Xeon® Processor E Family Server 906EA 22 Intel® Xeon® Processor E Family workstation 906EA 22 Intel® Xeon® Processor E Family AMT Server 906EA 22 9th Generation Intel® Core™ Processor Family Desktop 906ED 22 9th Generation Intel® Core™ Processor Family Desktop 906ED 22 10th Generation Intel® Core™ Processor Family Mobile 806EC 94 10th Generation Intel® Core™ Processor Family Mobile A0660 80 8th Generation Intel® Core™ Processor Family Mobile 906 E9 2A 7th Generation Intel® Core™ Processor Family Mobile 906 E9 2A 8th Generation Intel® Core™ Processor Family Mobile 806EA C0 7th Generation Intel® Core™ Processor Family Desktop 906 E9 2A 7th Generation Intel® Core™ Processor Family Mobile 806 E9 C0 7th Generation Intel® Core™ Processor Family Mobile 806 E9 C0 Intel® Core™ X-series Processors Desktop 906 E9 2A Intel® Xeon® Processor E3 v6 Family Mobile/server/Emb 906 E9 2A 7th Generation Intel® Core™ Processor Family Mobile 806 E9 C0 6th Generation Intel® Core™ Processor Family Mobile 506 E3 36 6th Generation Intel® Core™ Processor Family Desktop 506 E3 36 6th Generation Intel® Core™ Processors Mobile 406 E3 C0 6th Generation Intel® Core™ Processor Family Mobile 406 E3 C0 Intel® Xeon® Processor E3 v5 Family Server/Embed 506 E3 36 6th Generation Intel® Core™ Processors Mobile 406 E3 C0 8th Generation Intel® Core™ Processors Mobile 806EB D0 8th Generation Intel® Core™ Processors Mobile 806EC 80

Recommendations:

Intel recommends that users of the above Intel® Processors update to the latest BIOS version provided by the system manufacturer that addresses these issues.

Intel is conducting an SGX TCB recovery. Refer to Intel® SGX Attestation Technical Details for more information.

Acknowledgements:

Intel would like to thank the following reporters for finding and reporting the vulnerability to us via coordinated disclosure.

Intel thanks University of Birmingham: Kit Murdock, David Oswald, Flavio Garcia, Navjivan Pal; KU Leuven: Jo Van Bulck, Frank Piessens; TU Graz: Daniel Gruss.

Intel thanks Technische Universität Darmstadt: Zijo Kenjar, Tommaso Frassetto, Ahmed-Reza Sadeghi; University of California, Irvine: David Gens, Michael Franz.

Intel thanks University of Maryland: Gang Qu; Tsinghua University: Yongqiang Lyu, Dongsheng Wang; Pengfei Qiu.



Researchers from University of Birmingham, KU Leuven and TU Graz provided Intel with a Paper and Proof of Concept (POC) in June 2019 and researchers from Technische Universität Darmstadt and University of California provided a Paper and Proof of Concept (POC) in early August 2019. Intel subsequently confirmed each submission demonstrated this individually.

Researchers from University of Maryland and Tsinghua University provided Intel with a Paper in late August 2019 describing this issue.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.