Intel will be addressing 77 security vulnerabilities this month

Followed by the news of the Zombieload v2 attack news today, Intel yesterday posted a security blog, in which they state to close 77 vulnerabilities in November.

-- Intel --  The bulk of the advisories this month are for issues found internally by Intel and are part of the Intel Platform Update (IPU) process. Through the IPU, which we coordinate two to three times each year, we combine the delivery of security and functional updates with the goal of enhancing our ecosystem partners’ ability to validate and release updates for their products on a timely and predictable cadence. This requires a great deal of cross-industry collaboration as we work with almost 300 organizations to prepare and coordinate the release of these updates.

Industry collaboration is a key and strategic component to how we seek to lead in hardware security innovation. Every day we collaborate with the leading operating system, hypervisor, and cloud services providers, to work on microarchitectural solutions that have impact on a global scale. In some cases, as in INTEL-SA-00210, an issue in hardware can most efficiently be addressed at the software layer. It is truly amazing when companies, some of which may be competitors in the global market place, can work together on solutions that benefit the entire ecosystem. Today, other organizations are releasing their own advisories in conjunction with ours, providing software updates for an issue found internally by Intel. 

“67 of the 77 vulnerabilities we are addressing were internally found by Intel”

Intel is heavily invested in both industry collaboration and in conducting security research into our own products. As a result, while we are addressing 77 vulnerabilities this month, 67 were discovered internally through our own testing, validation and analysis. We believe that assigning CVE ID’s and publicly documenting internally found vulnerabilities helps our customers to accurately assess risk, prioritize, and deploy updates. By the time you are reading this blog post, mitigations for many of these issues will have already been propagated throughout the ecosystem through the IPU process. At the same time, the external researchers who reported the remaining issues to us have all been good partners in working with us on coordinated vulnerability disclosure (CVD).

In the table, updates are ordered from highest overall severity rating to lowest to give you a sense of how to prioritize deployment. In the Intel Management Engine category (CSEM, SPS, TXE, and AMT), 22 of the 24 CVE’s were found internally including CVE-2019-0169 which has a CVSS score of 9.6 (critical). We recommend you check with your system manufacturers and operating system vendors to determine how to obtain these updates. 

CVE-2019-11135, is closely related to Microarchitectural Data Sampling (MDS) that we addressed in May of this year. Transactional Synchronization Extensions (TSX) Asynchronous Abort, or TAA, has a medium CVSS score of 6.5. This was externally reported and affects only CPU’s that support TSX. The TAA mitigation provides the ability to clear stale data from microarchitectural structures through use of a VERW instruction on processors that already have hardware-based mitigations for MDS (see INTEL-SA-00233). It also provides system software the means to disable TSX for customers who do not use this functionality.  We believe that the mitigations for TAA and MDS substantively reduce the potential attack surface. Shortly before this disclosure, however, we confirmed the possibility that some amount of data could still be inferred through a side-channel using these techniques (for TAA, only if TSX is enabled) and will be addressed in future microcode updates. We continuously improve the techniques available to address such issues and appreciate the academic researchers who have partnered with Intel.