SINIT Buffer Overflow Vulnerability

Intel ID:  INTEL-SA-00030
Product family:  Intel® Trusted Execution Technology
Impact of vulnerability Elevation of Privilege
Severity rating Important
Original release:  Dec 05, 2011
Last revised:  Dec 06, 2011
Summary: 

Intel® Trusted Execution Technology SINIT Authenticated Code Modules (ACMs) are susceptible to a buffer overflow issue. Intel is providing updated SINIT ACMs to mitigate this issue and microcode updates to revoke vulnerable SINIT ACMs.

Description: 

When Intel® Trusted Execution Technology measured launch is invoked using affected SINIT Authenticated Code Modules (ACMs), the platform is susceptible to an OS-level exploit, which can bypass Intel®TXT compromising certain SINIT ACM functionality, including launch control policy and additionally lead to compromise of System Management Mode (SMM). To mitigate this issue, Intel is releasing updated SINIT ACMs. Additionally, microcode-based revocation of vulnerable SINIT ACMs is being made available for all affected processors.

Affected products: 

Client and UP Server Processors
Chipset
Vulnerable SINIT ACM are this version and earlier
Fixed SINIT ACM are this version and higher
2nd Generation Intel® Core™ i7 and i5 Desktop Processor Series and Intel® Xeon® Processor E3-1200 Product Family
 
2nd Generation Intel® Core™ i7 Mobile Extreme Edition Processor Series , 2nd Generation Intel® Core™ i7, and i5 Mobile Processor Series
Intel® Q67 Express, C202, C204, C206 Chipsets
 
 
Mobile Intel® QM67, and QS67 Chipset Express
 
 
2nd_gen_i5_i7_SINIT_1.9.BIN
2nd_gen_i5_i7_SINIT_51.BIN
 
Intel® Core™ i5-600 Desktop Processor Series
Intel® Core™ i5-600 Mobile Processor Series, i7-600 & i5-500 Mobile   Processor Series
Intel® Q57, 3450 Chipsets
 
Mobile Intel® QM57 and QS57 Express Chipset
i5_i7_DUAL_SINIT_18.BIN
i5_i7_DUAL_SINIT_51.BIN
 
Intel® Core(TM) i7-800 Desktop Processor Series i7-900 Mobile Processor Extreme Edition Series i7-800 & i7-700 Mobile Processor Series, and Intel® Xeon® Processor 3400 Series
Intel® Q57, 3450 Chipsets
 
Mobile Intel® QM57 and QS57 Chipset
 
i7_QUAD_SINIT_20.BIN
i7_QUAD_SINIT_51.BIN
 
Intel® Core™2 Quad, Intel® Core™2 Duo, Intel® Core™2 Solo Mobile Processor Series  
Mobile Intel® GM45, GS45, and PM45 Express Chipset
GM45_GS45_PM45_SINIT_21.BIN
GM45_GS45_PM45_SINIT_51.BIN
 
Intel® Core™ 2 Duo Desktop processors E6850, E6750, and E6550 and Intel® Xeon® Processor 3000/3200 Series
Intel® Q35 Express Chipsets
Q35_SINIT_18.BIN
Q35_SINIT_51.BIN
 
Server Processors
Chipset
Vulnerable SINIT ACM are this version and earlier
Fixed SINIT ACM are this version and higher
Intel® Xeon® Processor 5600 Series and Intel® Xeon® Processor 3500 Series
Intel® 5520, 5500, and X58 Chipsets
SINIT ACM 1.0
SINIT ACM 1.1
Intel® Xeon® Processor E7 Family-
Intel® 7500 Chipset
SINIT ACM 1.0
SINIT ACM 1.1

Recommendations: 

While Intel is not aware of active use of the vulnerability described in this advisory, Intel has made updated SINIT Authenticated Code Modules (ACMs) available at http://software.intel.com/en-us/articles/intel-trusted-execution-technology/ to mitigate this issue. If your BIOS includes an SINIT ACM, which is more common for Intel® TXT server platforms, a BIOS update that includes the updated SINIT ACM should be installed; please contact your platform OEM. Intel is also providing microcode updates, which will revoke vulnerable SINIT ACMs by causing GETSEC[SENTER] to fail.  The BIOS update that contains the new microcode patch should be installed on all affected systems. Note that prior to installing the microcode update, an updated SINIT ACM must be installed to launch your Intel TXT enabled software.  Contact your solutions provider or Intel®TXT software vendor if your Intel®TXT environment fails to launch and to determine how to update your software with the new SINIT ACM. Intel highly recommends that these updates be applied to mitigate this issue.
 
If SINIT and Microcode updates for your TXT-capable platform are not immediately available Intel recommends you take the following actions to protect your platform:
If Intel®TXT is disabled you are not affected by this issue. If you are not actively running Intel®TXT disable it in the BIOS. Consult your owner’s manual for instructions on how to disable Intel TXT in BIOS.
 
Once you have confirmed that Intel TXT is disabled on your system, you should:
o   Maintain control of your computing environment. Administrative access, like Ring 0 in a typical operating system, is required to implement this attack.
o   Apply all patches and security updates for your operating system and applications.
o   Ensure that security utilities such as firewalls, antivirus, etcetera are kept current with updates.

Acknowledgements: 

Intel would like to thank Rafal Wojtczuk and Joanna Rutkowska from Invisible Things Lab (http://invisiblethingslab.com) for reporting this issue and working with us.

Revision history: 

Revision
Date
Description
1.0
05-December-2011
Initial Release
1.1
06-December-2011
Updated description section since TXT bypass wasn't implicit.


Disclaimer:

INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH INTEL® PRODUCTS. YOUR USE OF THE INFORMATION IN THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. INTEL RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT.



Reporting a security issue

If you have information about a security issue or vulnerability with an Intel product, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

For issues related to Intel managed open source projects, please visit http://www.01.org/security.

Please provide as much information as possible, including:

  • The products and versions affected
  • Detailed description of the vulnerability
  • Information on known exploits

  • A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

  • Vulnerability handling guidelines

  • Need product support?
    The secure@intel.com e-mail address should only be used for reporting security issues.

    If you...
  • Have questions about the security features of an Intel product
  • Require technical support
  • Want product updates or patches

  • Please visit Support & Downloads.