It’s the second Tuesday in March 2020 and today we released 9 security advisories. For full details on these advisories, please visit the Intel Security Center.
|Security Advisory ID||Title||Highest CVSS Score|
|INTEL-SA-00354||Intel® Smart Sound Technology Advisory||8.6|
|INTEL-SA-00315||Intel® Graphics Driver Advisory||8.4|
|INTEL-SA-00343||Intel® NUC™ Firmware Advisory||7.8|
|INTEL-SA-00349||Intel® MAX® 10 FPGA Advisory||6.1|
|INTEL-SA-00319||Intel® FPGA Programmable Acceleration Card N3000 Advisory||6|
|INTEL-SA-00330||Snoop Assisted L1D Sampling Advisory||5.6|
|INTEL-SA-00334||Intel® Processors Load Value Injection Advisory||5.6|
|INTEL-SA-00326||Intel® Optane™ DC Persistent Memory Module Management Software Advisory||4.4|
Concerning INTEL-SA-00334, “Intel® Processor Load Value Injection” (LVI) we are aware that research on this has been published and we are providing more information for customers. Due to the numerous complex requirements that must be satisfied to successfully carry out the LVI method, Intel does not believe LVI is a practical exploit in real world environments where the OS and VMM are trusted. New mitigation guidance and tools for LVI are available now. These work in conjunction with previously released mitigations to substantively reduce the overall attack surface associated with speculative execution side channels.
To mitigate the potential exploits of LVI on platforms and applications utilizing Intel SGX, Intel is releasing updates to the SGX Platform Software and SDK starting today. The Intel SGX SDK includes guidance on how to mitigate LVI for Intel SGX application developers. Intel has likewise worked with our industry partners to make application compiler options available and will conduct an SGX TCB Recovery. Refer to the Intel SGX Attestation Technical Details for more information.
You can find the LVI whitepaper HERE.
Today we have also released a paper titled “Refined Speculative Execution Terminology” to aid in greater precision in describing speculative execution vulnerabilities and to build better alignment with the terms being used by the research community.
You can find the Refined Speculative Execution Terminology paper HERE.
Finally, we are aware of new “Rowhammer” research that was published today. This is not an Intel processor vulnerability. Vulnerability to this issue varies across DRAM designs and DRAM manufacturing process nodes. Enabling Error Correcting Code (ECC) and/or utilizing memory refresh rates greater than 1X can reduce susceptibility to this and other potential Rowhammer-style attacks. Intel recommends contacting your DRAM supplier to assess the appropriate mitigations for your system.
Our next scheduled security advisory release in April 14, 2020.
Director of Communications
Intel Product Assurance and Security