Lenovo Security Advisory: LEN-30553
Potential Impact: Information disclosure, escalation of privilege
Severity: Medium
Scope of Impact: Industry-wide
CVE Identifier: CVE-2020-0551, CVE-2020-0561
Summary Description:
Intel reported potential security vulnerabilities in some Intel Processors that may allow information disclosure.
CVE-2020-0551: Load Value Injection (LVI) in some Intel Processors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.
Intel reported the following potential security vulnerabilities in some Intel Processors and Intel Software Guard Extensions (SGX) SDK. These vulnerabilities affects some Lenovo drivers for SGX enabled fingerprint readers.
CVE-2020-0551: Load Value Injection (LVI) in some Intel Processors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.
CVE-2020-0561: Intel reported a potential security vulnerability in Intel Software Guard Extensions (SGX) SDK may allow a partial loss of integrity.
Mitigation Strategy for Customers (what you should do to protect yourself):
CVE-2020-0551:
SGX Enclaves
Intel recommends applying previous mitigations for L1 Terminal Fault (LEN-24163) and Microarchitectural Data Sampling (MDS) (LEN-26696) to reduce the impact of this vulnerability. Intel has released SGX Platform Software (PSW) and SDK updates to mitigate issues with SGX enclaves. Intel recommends updating affected drivers to the latest version as indicated for your model in the Product Impact section below.
The latest Windows SGX PSW and SDK can be found here: <https://registrationcenter.intel.com/en/forms/?productid=2614>
The latest Linux SGX PSW and SDK can be found here: <https://01.org/intel-software-guard-extensions/downloads>
Operating System (OS) and Virtual Machine Manager (VMM)
Intel recommends applying previous mitigations for Spectre (LEN-22133), TSX Asynchronous Abort (TAA) (LEN-27714), L1 Terminal Fault (LEN-24163), and MDS (LEN-26696) to significantly reduce the impact of this vulnerability.
Software Applications
Intel recommends applying previous mitigations for Microarchitectural Data Sampling (MDS) (LEN-26696) to reduce the impact of this vulnerability. Refer to Intelโs Deep Dive: Managed Runtime Speculative Execution Side Channel Mitigations for additional guidance.
CVE-2020-0561: Intel recommends updating affected drivers to the latest version as indicated for your model in the Product Impact section below.
Product Impact:
To download the version specified for your product below, follow these steps:
Alternatively and if applicable for your product, you may use Lenovo Vantage or Windows Update to update to the latest available version. To confirm you are using the minimum fix version (or higher), go to Add/Remove Programs and check the version listed there.