Hi everyone,
It’s the second Tuesday of December 2019, and today we are releasing 11 security advisories ranging from driver updates to firmware and utilities. It should be noted that the majority of these issues were reported to Intel through our bug bounty program, and all of the external researchers worked with us to coordinate today’s disclosure.
For more information on our bug bounty program, please see:
https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html
Here is a summary of today’s disclosure:
Security Advisory ID | Title |
INTEL-SA-00230 | Intel® Dynamic Platform and Thermal Framework Advisory |
INTEL-SA-00237 | Linux Administrative Tools for Intel Network Adapters |
INTEL-SA-00253 | Intel(R) Ethernet I218 Adapter Driver Advisory |
INTEL-SA-00284 | Intel® FPGA SDK for OpenCL™ Pro Edition |
INTEL-SA-00289 | Intel® CPU Voltage Settings Modification Advisory |
INTEL-SA-00299 | Intel® Control Center Advisory |
INTEL-SA-00311 | Intel® Quartus® Prime Pro Edition Advisory |
INTEL-SA-00312 | Intel® SCS Platform Discovery Utility Advisory |
INTEL-SA-00317 | Unexpected Page Fault in Virtualized Environment Advisory |
INTEL-SA-00323 | Intel® NUC® Firmware Advisory |
INTEL-SA-00324 | Intel® RST Advisory |
For the full list of Intel security advisories, go to: www.intel.com/security
INTEL-SA-00289 is an advisory we worked on with multiple academic researchers that affects client systems, and some Xeon E based platforms. Some of the researchers have demonstrated the same class of issue on non-Intel architectures. When SGX is enabled on a system, a privileged user may be able to mount an attack through the control of CPU voltage settings with the potential to impact the confidentiality and integrity of software assets. Intel has worked with system vendors to develop a microcode update that mitigates the issue by locking voltage to the default settings. We are aware of publications by various academic researchers that have come up with some interesting names for this class of issues, including “VoltJockey” and “Plundervolt”. Please reference the security advisory for affected Intel products and recommendations.
We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible. Your computer manufacturer is the best source to obtain most updates from. Click HERE for a list of computer manufacturer support sites.
That’s it for December 2019. Our next scheduled update is January 14, 2020. To stay up to date on Intel security topics, please follow us on Twitter: @intelsecurity.
Thanks,
Jerry Bryant
Director of Communications
Intel Product Assurance and Security