Security
Determine security ramifications to protect personal data and information
107 Discussions

INTEL-SA-00950 - Redundant Prefix Issue

IPAS_Security
Employee
‎11-14-2023 09:59 AM
0 1 4,208

Hi everyone,

It’s patch Tuesday for November 2023 and today Intel released 31 security advisories addressing 104 CVEs with the majority of these being in Intel software products.

In this post we will focus on an out of band update for a potential escalation of privilege vulnerability. We will provide more context for how this issue was discovered and actions customers can take. The vulnerability, addressed by INTEL-SA-00950, was initially found by Intel researchers and we are not aware of any active attacks using this vulnerability. As always, Intel recommends customers deploy security updates as soon as possible.

Background

This issue was first reported as a functional bug by an Intel partner doing testing during Sapphire Rapids product development. Finding, reporting, and addressing functional bugs are a routine part of product development and this issue was addressed in Sapphire Rapids, Alder Lake, and Raptor Lake during that process.

At Intel, it is also routine for our offensive security research team to systematically review upcoming functional errata for potential security concerns. During the analysis of this particular bug, it was determined that it could result in a temporary denial of service (TDoS) and was reclassified as a vulnerability with a CVSS 3.0 score of 5.5 (medium). We determined the issue affected older platforms and needed to be addressed in a Microcode update. Based on feedback from our customers and partners, we concluded that the Intel Platform Update bundle scheduled for March 2024 was the most suitable vehicle for public disclosure.  

Thanks to the diligence and expertise of Intel security researchers, a vector was later discovered that could allow a possible escalation of privilege (EoP). With an updated CVSS 3.0 score of 8.8 (high), this discovery changed our approach to mitigating this issue for our customers and we pulled the update forward to align with disclosures already planned for November 2023.

While preparing the March 2024 Intel Platform Update bundle for customer validation, we received a report from a Google researcher for the same TDoS issue discovered internally. The researcher cited a Google 90 day disclosure policy and that they would go public on November 14, 2023 referring to this issue as "reptar".

Ecosystem enablement through the Intel Platform Update process

The Intel Platform Update process represents a well established industry best practice developed with extensive input from our ecosystem partners who are a critical part of the Coordinated Vulnerability Disclosure (CVD) process. These partners include operating system vendors, hypervisor vendors, BIOS vendors, cloud service providers, and original equipment manufacturers who provide the final mitigation to end customers. The process includes a significant investment Intel has made in validation resources unmatched in the silicon industry, to meet our customer expectations of high-quality updates. It also includes an additional 90 days of partner validation and preparation time as they test updates against literally thousands of products and services built on Intel platforms and bundle the microcode into an update they provide to their customers or are deploying the update into cloud environments to protect those customers. The main goal of the Intel Platform Update process is to help ensure that at public disclosure, security updates are available to all customers on all supported Intel platforms and doing so requires coordination with the entire ecosystem.

Intel will always strive to do the right thing for our customers. When given a 90-day disclosure window, our assessment may be that disrupting the ongoing IPU validation work represents greater risk to customers than the issue the researcher would disclose represents. This will always be assessed on a case-by-case basis with input from our ecosystem partners.

Actions for customers

Customers should review INTEL-SA-00950 and our Redundant Prefix technical paper for recommended actions. In summary, customers should refer to their OS vendor or contact their system manufacturer to obtain the microcode update for their affected products. You can find a list of OEM support sites here. This update is OS loadable (no reboot required) and Intel has not observed or expect any performance impact with this mitigation. For additional technical guidance and affected processors, please review THIS page.

Regards,

Jerry Bryant
Sr. Director, Incident Response & Security Communications
Intel Product Assurance and Security

0 Kudos
About the Author
Intel Product Assurance and Security (IPAS) is designed to serve as a security center of excellence – a sort of mission control – that looks across all of Intel. Beyond addressing the security issues of today, we are looking longer-term at the evolving threat landscape and continuously improving product security in the years ahead.
1 Comment
BobDole1
Beginner
‎12-07-2023 08:05 PM

You guys are an embarrassment. My PC has 36 vulnerabilities. Never using Intel EVER Again.   

0 Kudos

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.