It’s patch Tuesday for November 2023 and today Intel released 31 security advisories addressing 104 CVEs with the majority of these being in Intel software products.
In this post we will focus on an out of band update for a potential escalation of privilege vulnerability. We will provide more context for how this issue was discovered and actions customers can take. The vulnerability, addressed by INTEL-SA-00950, was initially found by Intel researchers and we are not aware of any active attacks using this vulnerability. As always, Intel recommends customers deploy security updates as soon as possible.
This issue was first reported as a functional bug by an Intel partner doing testing during Sapphire Rapids product development. Finding, reporting, and addressing functional bugs are a routine part of product development and this issue was addressed in Sapphire Rapids, Alder Lake, and Raptor Lake during that process.
At Intel, it is also routine for our offensive security research team to systematically review upcoming functional errata for potential security concerns. During the analysis of this particular bug, it was determined that it could result in a temporary denial of service (TDoS) and was reclassified as a vulnerability with a CVSS 3.0 score of 5.5 (medium). We determined the issue affected older platforms and needed to be addressed in a Microcode update. Based on feedback from our customers and partners, we concluded that the Intel Platform Update bundle scheduled for March 2024 was the most suitable vehicle for public disclosure.
Thanks to the diligence and expertise of Intel security researchers, a vector was later discovered that could allow a possible escalation of privilege (EoP). With an updated CVSS 3.0 score of 8.8 (high), this discovery changed our approach to mitigating this issue for our customers and we pulled the update forward to align with disclosures already planned for November 2023.
While preparing the March 2024 Intel Platform Update bundle for customer validation, we received a report from a Google researcher for the same TDoS issue discovered internally. The researcher cited a Google 90 day disclosure policy and that they would go public on November 14, 2023 referring to this issue as "reptar".
Ecosystem enablement through the Intel Platform Update process
The Intel Platform Update process represents a well established industry best practice developed with extensive input from our ecosystem partners who are a critical part of the Coordinated Vulnerability Disclosure (CVD) process. These partners include operating system vendors, hypervisor vendors, BIOS vendors, cloud service providers, and original equipment manufacturers who provide the final mitigation to end customers. The process includes a significant investment Intel has made in validation resources unmatched in the silicon industry, to meet our customer expectations of high-quality updates. It also includes an additional 90 days of partner validation and preparation time as they test updates against literally thousands of products and services built on Intel platforms and bundle the microcode into an update they provide to their customers or are deploying the update into cloud environments to protect those customers. The main goal of the Intel Platform Update process is to help ensure that at public disclosure, security updates are available to all customers on all supported Intel platforms and doing so requires coordination with the entire ecosystem.
Intel will always strive to do the right thing for our customers. When given a 90-day disclosure window, our assessment may be that disrupting the ongoing IPU validation work represents greater risk to customers than the issue the researcher would disclose represents. This will always be assessed on a case-by-case basis with input from our ecosystem partners.
Actions for customers
Customers should review INTEL-SA-00950 and our Redundant Prefix technical paper for recommended actions. In summary, customers should refer to their OS vendor or contact their system manufacturer to obtain the microcode update for their affected products. You can find a list of OEM support sites here. This update is OS loadable (no reboot required) and Intel has not observed or expect any performance impact with this mitigation. For additional technical guidance and affected processors, please review THIS page.
Sr. Director, Incident Response & Security Communications
Intel Product Assurance and Security
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.