3rd Generation Intel® Xeon® Scalable Processors Advisory

Summary:

A potential security vulnerability in some 3rd Generation Intel® Xeon® Scalable Processors may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability.

Vulnerability Details:

CVEID: CVE-2021-33117

Description: Improper access control for some 3rd Generation Intel® Xeon® Scalable Processors before BIOS version MR7, may allow a local attacker to potentially enable information disclosure via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N****

Affected Products:

Product Family

|

Processor

|

Vertical Segment

|

CPU ID

|

Platform ID

—|—|—|—|—

3rd Generation Intel® Xeon® Scalable Processors

|

06_6AH

|

Server

|

606AX

|

0x87

Recommendations:

Intel recommends updating affected 3rd Generation Intel® Xeon® Scalable Processors to BIOS version MR7 or later. Intel recommends the users to enable the technologies that are used for BIOS to detect early boot code unauthorized modification.

Alternatively, Intel recommends following the steps to update the microcode patch located in platform flash designated by firmware interface table (FIT) entry type1. Details on the firmware interface table layout and types can be found at:

<https://software.intel.com/content/dam/develop/external/us/en/documents/firmware-interface-table-bios-specification-r1p2p1.pdf&gt;

Intel is releasing microcode updates, which are available at this GitHub* repository link:

<https://github.com/otcshare/Intel-Generic-Microcode/blob/main/NDA/repository/server/production/m_87_606a6_0d000331.inc&gt;

This CVE requires a Microcode Security Version Number (SVN) update. To address this issue, an Intel SGX TCB Recovery is planned. Details can be found here.

Refer to Intel SGX Attestation Technical Details for more information on the Intel SGX TCB recovery process.

Further TCB Recovery Guidance for developers is available.

Acknowledgements:

This issue was found internally by Intel employees.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.