Summary:
Information disclosure vulnerability in storage media in systems with Intel® Optane™ memory module with Whole Disk Encryption may allow an attacker to recover data via physical access.
Description:
Intel identified an issue where some systems configured with Whole Disk Encryption and an Intel® Optane™ memory module, may be at risk of data remaining unencrypted and potentially accessible under specific conditions.
Microsoft* BitLocker is required as the software-based Whole Disk Encryption solution on Intel® Optane™ memory enabled volumes.
Other software-based Whole Disk Encryption solutions are not supported.
Microsoft* BitLocker should be enabled before configuring the Intel® Optane™ memory module. Data migration to the Intel® Optane™ memory module takes place using the Intel® Rapid Storage Technology (Intel® RST) software.
Due to how Intel® RST software migrates data during the Intel® Optane™ memory enabling process, there is a small region on the non-Intel® Optane™ memory module that will be kept hidden from the host operating system. If Microsoft* BitLocker enablement occurs after configuring the Intel® Optane™ memory media device, this small region will not benefit from the Whole Disk Encryption and as a result, end-user data in the small region could possibly be at risk.
Affected products:
The issue potentially affects systems with Intel® Optane™ memory module and Microsoft* BitLocker enabled, based on:
• 7th Gen Intel® Core™ Desktop Processors
• 8th Gen Intel® Core™ Desktop Processors
• 8th Gen Intel® Core™ Mobile Processors
• Intel® Core™ X-Series Processors
• Intel® Xeon® E Processors
Affected configurations:
Intel® Optane™ Memory + Whole Disk Encryption
Configuration
|
Potentially affected by CVE-2018-3619
—|—
Intel® Optane™ Memory
|
SW based Whole Disk Encryption
Y
|
Y
|
Y
Y
|
N
|
N
N
|
Y
|
N
N
|
N
|
N
CVE ID
|
CVE Title
|
CVSSv3 severity
|
CVSSv3 Vectors
—|—|—|—
CVE-2018-3619
|
Information disclosure vulnerability in storage media in systems with Intel® Optane™ memory module with Whole Disk Encryption may allow an attacker to recover data via physical access
|
5.3 (Moderate)
|
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Recommendations:
Intel requires users who want Whole Disk Encryption with Intel® Optane™ memory to use Microsoft* BitLocker. The use of other software Whole Disk Encryption solutions is not supported.
Enable Microsoft* BitLocker before configuring the Intel® Optane™ memory device.
Intel requires following these steps to ensure the Intel® Optane™ memory with Microsoft* BitLocker is configured properly:
Launch Intel® RST User Interface(UI)/Intel® Optane™ Memory UI
Disable Intel® Optane™ memory
Enable Intel® Optane™ memory again
§ Check the following link for detailed instructions to disable and enable Intel® Optane™ memory: <https://www.intel.com/content/dam/support/us/en/documents/memory-and-storage/optane-memory/intel-optane-memory-user-installation.pdf>
§ Refer to section 2.1.4 for disabling Intel® Optane™ and section 2.1.3 for enabling Intel® Optane™ using Intel® Optane™ Memory UI
§ Refer to section 2.2.2 for disabling Intel® Optane™ and section 2.2.1 for enabling Intel® Optane™ using Intel® Optane™ Memory UI
Acknowledgements:
CVE-2018-3619 was discovered by Intel.