Vulnerability: CVE-2022-40982 and INTEL-SA-00828.
Date: 14 August 2024
Scope: Intel SGX platforms
The Intel SGX platform provides strong security for customers running workloads in enclaves for isolation and risk reduction. From time to time, issues and vulnerabilities can impact the security of the platform. This bulletin provides details on the impact and how to mitigate it.
References
- Mitre - CVE-2022-40982.
- Intel’s analysis - INTEL-SA-00828
- Affected platforms.
- The research paper about this vulnerability.
- A dedicated web page.
Does this impact Anjuna's Security software?
The vulnerability can be exploited on Intel SGX and affects applications running in the Anjuna Runtime for Intel SGX.
Intel provided a firmware update to fix this vulnerability. There is no change required to the Anjuna software.
Vulnerability Summary
Daniel Moghimi identified the Downfall vulnerability during his post-doctorate at UCSD, published in this research paper.
The vulnerability allows an attacker to access some sensitive data of running processes of other users who share the same computer.
This vulnerability affects workloads running in an Intel processor, including such that run inside an Intel SGX Secure Enclaves.
The Downfall vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal some internal hardware registers to software. This allows untrusted software to access data stored by other programs when present in the affected registers. The researcher has discovered that the Gather instruction, meant to speed up accessing scattered data in memory, leaks the contents of the internal vector register file during speculative execution.
The vulnerability can affect applications that do not use the Gather instruction directly. Modern CPUs rely on vector registers to optimize common operations, such as copying memory, switching register content, and leveraging Advanced Encryption Standard instructions (AES-NI), which use the same internal hardware buffers, and as such, can leak data to untrusted code exploiting Gather.
This vulnerability exists in Intel Core processors from the 6th generation - Skylake to the 11th generation - Tiger Lake. See Intel’s detailed list.
Intel’s analysis of the vulnerability can be found here.
Intel released a microcode update that fixes the vulnerability.
The Intel TCB Recovery Guidance is provided here.
According to this guidance, there are two relevant dates:
- 8/22/2023 - have the ability to identify whether a certain CPU is patched via remote attestation.
- 9/19/2023 - enforcement of the patch - failure of either generating or verifying an attestation quote.
The status of the patch deployment in Azure
This is the information that was provided to Anjuna from Azure on 8/11/2023:
- Azure started deploying Intel’s patch for both DCsv2 and DCsv3 VMs.
- As Azure is in a controlled maintenance phase, customers have two options:
- Customers can opt to start maintenance on their own.
Or - Customers can wait for the Azure scheduled maintenance to complete updating the patch for them. This will be completed by 9/4/2023.
- Customers can opt to start maintenance on their own.
These are the steps provided by Azure on how customers can initiate the maintenance on their own to deploy the patch:
Use the portal for maintenance notifications - Azure Virtual Machines | Microsoft Learn
You can use the Azure portal and look for VMs scheduled for maintenance.
1. Sign in to the Azure portal.
2. Search for or select Virtual Machines.
3. In the Virtual Machines pane, select the More menu and then select Maintenance -> Virtual machine maintenance to open the list with maintenance columns.
Maintenance status: Shows the maintenance status for the VM. The following are the potential values:
Value | Description |
Start now | The VM is in the self-service maintenance window that lets you initiate the maintenance yourself. See below on how to start maintenance on your VM. |
Scheduled | The VM is scheduled for maintenance with no option for you to initiate maintenance. You can learn of the maintenance window by selecting the Maintenance - Scheduled window in this view or by clicking on the VM. |
Already updated | Your VM is already updated and no further action is required at this time. |
Retry later | You have initiated maintenance with no success. You will be able to use the self-service maintenance option at a later time. |
Retry now | You can retry a previously unsuccessful self-initiated maintenance. |
- | Your VM is not part of a planned maintenance wave. |
Click on the maintenance notification to see the maintenance page with more details on the planned maintenance. From there, you will be able to start maintenance on your VM.
Comments
0 comments
Please sign in to leave a comment.