IPAS: Security Advisories for March 2020

Hi everyone,

It’s the second Tuesday in March 2020 and today we released 9 security advisories. For full details on these advisories, please visit the Intel Security Center.

Security Advisory ID Title Highest CVSS Score
INTEL-SA-00354 Intel® Smart Sound Technology Advisory 8.6
INTEL-SA-00315 Intel® Graphics Driver Advisory 8.4
INTEL-SA-00352 BlueZ Advisory 8.3
INTEL-SA-00343 Intel® NUC™ Firmware Advisory 7.8
INTEL-SA-00349 Intel® MAX® 10 FPGA Advisory 6.1
INTEL-SA-00319 Intel® FPGA Programmable Acceleration Card N3000 Advisory 6
INTEL-SA-00330 Snoop Assisted L1D Sampling Advisory 5.6
INTEL-SA-00334 Intel® Processors Load Value Injection Advisory 5.6
INTEL-SA-00326 Intel® Optane™ DC Persistent Memory Module Management Software Advisory 4.4

 

Concerning INTEL-SA-00334, “Intel® Processor Load Value Injection” (LVI) we are aware that research on this has been published and we are providing more information for customers. Due to the numerous complex requirements that must be satisfied to successfully carry out the LVI method, Intel does not believe LVI is a practical exploit in real world environments where the OS and VMM are trusted. New mitigation guidance and tools for LVI are available now. These work in conjunction with previously released mitigations to substantively reduce the overall attack surface associated with speculative execution side channels.

To mitigate the potential exploits of LVI on platforms and applications utilizing Intel SGX, Intel is releasing updates to the SGX Platform Software and SDK starting today. The Intel SGX SDK includes guidance on how to mitigate LVI for Intel SGX application developers. Intel has likewise worked with our industry partners to make application compiler options available and will conduct an SGX TCB Recovery. Refer to the Intel SGX Attestation Technical Details for more information.

You can find the LVI whitepaper HERE.

Today we have also released a paper titled “Refined Speculative Execution Terminology” to aid in greater precision in describing speculative execution vulnerabilities and to build better alignment with the terms being used by the research community.

You can find the Refined Speculative Execution Terminology paper HERE.

Finally, we are aware of new “Rowhammer” research that was published today. This is not an Intel processor vulnerability. Vulnerability to this issue varies across DRAM designs and DRAM manufacturing process nodes. Enabling Error Correcting Code (ECC) and/or utilizing memory refresh rates greater than 1X can reduce susceptibility to this and other potential Rowhammer-style attacks. Intel recommends contacting your DRAM supplier to assess the appropriate mitigations for your system.

Our next scheduled security advisory release in April 14, 2020.

Jerry Bryant
Director of Communications
Intel Product Assurance and Security

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *