Security Alert 00293: Critical Vulnerabilities in Intel SGX SDK Demanding Immediate Update

Intel has identified critical security vulnerabilities within its Software Guard Extensions Software Development Kit (SGX SDK). These vulnerabilities, officially tracked as CVE-2019-14566 and CVE-2019-14565, pose significant risks to applications built using affected versions of the SGX SDK. This security bulletin, designated 00293 for internal tracking and reference, urges developers to take immediate action to mitigate potential exploits. Failure to address these issues could lead to serious security breaches, including unauthorized information disclosure, escalation of privileges, and denial of service attacks.

Understanding the SGX SDK Vulnerabilities: CVE-2019-14566 and CVE-2019-14565

Two distinct yet equally concerning vulnerabilities have been discovered within the Intel SGX SDK. Both vulnerabilities share the potential for severe security impacts but stem from different underlying causes within the SDK’s codebase.

CVE-2019-14566: Insufficient Input Validation

CVE-2019-14566 highlights a critical flaw related to insufficient input validation within specific versions of the Intel SGX SDK. This weakness can be exploited by an authenticated local user to potentially compromise the system. The vulnerability’s nature allows for a range of malicious outcomes:

• Information Disclosure: Attackers could gain access to sensitive data intended to be protected by SGX enclaves.
• Escalation of Privilege: Exploitation could lead to unauthorized elevation of user privileges within the system.
• Denial of Service (DoS): Malicious input could be crafted to disrupt normal system operations, leading to a denial of service.

This vulnerability has been assigned a high severity CVSS base score of 7.8, with a vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H, emphasizing the significant risk it presents under specific conditions.

CVE-2019-14565: Insufficient Initialization

The second vulnerability, CVE-2019-14565, arises from insufficient initialization processes within the Intel SGX SDK. Similar to CVE-2019-14566, this flaw is also exploitable by an authenticated local user and carries the risk of:

• Information Disclosure: Potential unauthorized access to sensitive information.
• Escalation of Privilege: Possibility of gaining elevated system privileges.
• Denial of Service (DoS): Risk of disrupting system availability and functionality.

While also rated as high severity, CVE-2019-14565 has a CVSS base score of 7.0 and a vector of CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H. The slightly lower score compared to CVE-2019-14566 suggests a potentially less severe, though still critical, impact profile.

Affected Intel SGX SDK Versions

It is crucial for developers to identify if they are using vulnerable versions of the Intel SGX SDK. The following versions are confirmed to be affected by these vulnerabilities:

For CVE-2019-14566:

• Windows*:
  • Intel® SGX SDK for Windows* version: 2.4.100.51291
  • Intel® SGX SDK for Windows* version: 2.3.101.50222
  • Intel® SGX SDK for Windows* version: 2.3.100.49777
• Linux:
  • Intel® SGX SDK for Linux version: 2.6.100.51363
  • Intel® SGX SDK for Linux version: 2.5.100.49891
  • Intel® SGX SDK for Linux version: 2.4.100.48163
  • Intel® SGX SDK for Linux version: 2.3.100.46354
  • Intel® SGX SDK for Linux version: 2.2.100.45311

For CVE-2019-14565:

• All Intel® SGX SDK for Windows* versions 2.4.100.51291 and earlier.
• All Intel® SGX SDK for Linux versions 2.6.100.51363 and earlier.

This broad range of affected versions underscores the urgency for developers to verify their SDK versions and apply the necessary updates.

Recommended Mitigation Steps

Intel strongly recommends that all solution developers using the affected Intel SGX SDK versions take the following actions immediately to protect their applications and users:

1. Update Intel® SGX SDK: Upgrade to the latest secure versions of the SDK:

   • Windows*: Version 2.5.101.3 or later.
   • Linux: Version 2.7.101.3 or later.

2. Recompile SGX Application Enclaves: After updating the SDK, it is imperative to recompile all SGX application enclaves that were built using any of the vulnerable SDK versions. This recompilation process ensures that the mitigations provided in the updated SDK are incorporated into the application.

3. Increase Security Version Numbers (ISVSVN): Developers should also increase the Security Version Numbers (ISVSVN) of their updated SGX application enclaves. This step is critical for security management and ensures that applications are recognized as updated and protected against the identified vulnerabilities.

For developers who have implemented their own custom SDKs based on Intel’s documentation, it is advised to thoroughly review the documentation and code changes associated with the Intel SGX SDK for Linux version 2.7.101.3 to incorporate the necessary security fixes into their implementations.

Acknowledgements and Coordinated Disclosure

Intel acknowledges and appreciates the valuable contributions of external researchers in identifying and reporting CVE-2019-14565. Specifically, Intel thanks Jo Van Bulck and Frank Piessens from KU Leuven University, Jethro Beekman of Fortanix, and David Oswald, Flavio Garcia, and Eduard Marin from the University of Birmingham for their responsible disclosure and collaborative work with Intel on this issue. CVE-2019-14566 was identified through Intel’s internal security processes.

Intel adheres to the principle of Coordinated Disclosure, a widely adopted industry practice. This approach ensures that cybersecurity vulnerabilities are publicly disclosed only after mitigations are available, allowing users to update their systems and minimize the risk of exploitation. This commitment to coordinated disclosure reflects Intel’s dedication to the security of its products and the broader technology ecosystem.