IPAS: Security Advisories for December 2019

Hi everyone,

It’s the second Tuesday of December 2019, and today we are releasing 11 security advisories ranging from driver updates to firmware and utilities. It should be noted that the majority of these issues were reported to Intel through our bug bounty program, and all of the external researchers worked with us to coordinate today’s disclosure.

For more information on our bug bounty program, please see:

https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html

Here is a summary of today’s disclosure:

Security Advisory ID Title
INTEL-SA-00230 Intel® Dynamic Platform and Thermal Framework Advisory
INTEL-SA-00237 Linux Administrative Tools for Intel Network Adapters
INTEL-SA-00253 Intel(R) Ethernet I218 Adapter Driver Advisory
INTEL-SA-00284 Intel® FPGA SDK for OpenCL™ Pro Edition
INTEL-SA-00289 Intel® CPU Voltage Settings Modification Advisory
INTEL-SA-00299 Intel® Control Center Advisory
INTEL-SA-00311 Intel® Quartus® Prime Pro Edition Advisory
INTEL-SA-00312 Intel® SCS Platform Discovery Utility Advisory
INTEL-SA-00317 Unexpected Page Fault in Virtualized Environment Advisory
INTEL-SA-00323 Intel® NUC® Firmware Advisory
INTEL-SA-00324 Intel® RST Advisory

 

For the full list of Intel security advisories, go to: www.intel.com/security

INTEL-SA-00289 is an advisory we worked on with multiple academic researchers that affects client systems, and some Xeon E based platforms. Some of the researchers have demonstrated the same class of issue on non-Intel architectures. When SGX is enabled on a system, a privileged user may be able to mount an attack through the control of CPU voltage settings with the potential to impact the confidentiality and integrity of software assets. Intel has worked with system vendors to develop a microcode update that mitigates the issue by locking voltage to the default settings. We are aware of publications by various academic researchers that have come up with some interesting names for this class of issues, including “VoltJockey” and “Plundervolt”. Please reference the security advisory for affected Intel products and recommendations.

We are not aware of any of these issues being used in the wild, but as always, we recommend installing security updates as soon as possible. Your computer manufacturer is the best source to obtain most updates from. Click HERE for a list of computer manufacturer support sites.

That’s it for December 2019. Our next scheduled update is January 14, 2020. To stay up to date on Intel security topics, please follow us on Twitter: @intelsecurity.

Thanks,

Jerry Bryant
Director of Communications
Intel Product Assurance and Security