Intel is patching a load of serious software security holes

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

Intel has addressed multiple vulnerabilities discovered in its Software Guard Extensions (SGX) and is now urging users to apply the patch as soon as possible. 

The flaws affect a “wide range of Intel products”, including Xeon processors, network adapters, and software. A total of 31 advisories were added to the Intel Security Center, including five CVE’s.

Of those five, two are privilege escalation vulnerabilities that could allow threat actors to elevate the privileges their accounts have on target endpoints and use them to exfiltrate sensitive data. The irony is palpable here, the publication hints, because SGX is a feature “that is supposed to enable secure processing of sensitive data inside encrypted memory areas known as enclaves.”

Stealing sensitive data

The third flaw, tracked as CVE-2022-38090, is a medium-rated vulnerability affecting, among others, 3rd Gen Xeon Scalable processors. According to Intel, “improper isolation of shared resources in some Intel Processors when using Intel Software Guard Extensions may allow a privileged user to potentially enable information disclosure via local access.”

The best course of action, Intel says, is to update your device’s firmware.

The fourth vulnerability, tracked as CVE-2022-33196, is a high-severity flaw also affecting the 3rd Gen Xeon Scalable processors, but also Xeon D processors, as well. Patches, in the form of BIOS and microcode updates, are on the way, the company added.

The fifth flaw affects SGX’s software development kit (SDK). While this one is rated low severity, there is still a chance crooks use it to steal sensitive data, Intel says. An update is on the way, as well. 

SGX, now in its eighth year, has been “plagued with vulnerabilities”, the publication says, adding that the tool was deprecated in client-focused chips from the 11th and 12th Gen Core processors. 

Via: The Register

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.