SGX Update

Intel ID:  INTEL-SA-00076
Product family:  Intel Server Systems, NUC, and Compute Stick
Impact of vulnerability Elevation of Privilege
Severity rating Critical
Original release:  Jul 25, 2017
Last revised:  Jul 25, 2017
Summary: 

Intel has released updates that improve the security of Intel® Software Guard Extensions (Intel® SGX).

Description: 

Intel has released updates that improve the security of Intel® Software Guard Extensions (Intel® SGX). The improvement applies to 6th and 7th Generation Intel® Core™ Processor Families, Intel® Xeon® E3-1500M v5 and v6 Processor Families, and Intel® Xeon® E3-1200 v5 and v6 Processor Families.

CVSS Rating: Critical (9.0 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

Affected products: 

 

Client Systems:

Model name

Updated BIOS version

Update URL

NUC7i3BNK (KBL)

NUC7i5BNK

NUC7i7BNH

BN0047 https://downloadcenter.intel.com/download/26889/NUCs-BIOS-Update-BNKBL357-86A-

STK2MV64CC (SKL)

CCV0051 https://downloadcenter.intel.com/download/26812/Compute-Stick-BIOS-Update-CCSKLm5v-86A-

STK2M3W64CC (SKL)

CC0051 https://downloadcenter.intel.com/download/26835/Compute-Stick-BIOS-Update-CCSKLm30-86A-

NUC6i7KYK (SKL)

KY0048 https://downloadcenter.intel.com/download/26842/NUCs-BIOS-Update-KYSKLi70-86A-

NUC6i3SYK (SKL)

NUC6i5SYK

SY0061 https://downloadcenter.intel.com/download/26841/NUCs-BIOS-Update-SYSKLi35-86A-

 

Server Systems:

Model name

Updated BIOS version

Update URL

03.01.0021

03.01.0021

03.01.0021

03.01.0021

03.01.0021

03.01.0021

03.01.0021

03.01.0021

03.01.0021

03.01.0021

03.01.0021

03.01.0021

03.01.0021

03.01.0021

Recommendations: 

This update improves the security of Intel® Software Guard Extensions (Intel® SGX) and is strongly recommended.

While this firmware update prevents exploitation of the issue on systems running SGX, Intel also provides an SGX Attestation service to allow service providers to know whether clients have the latest security updates. Intel plans to update the SGX Attestation Service response on November 14, 2017. On platforms that have not installed the update, SGX applications using the SGX Attestation Service will begin to receive “out of date” responses from the SGX Attestation Service. Applications using SGX may or may not take action based on this information.

If SGX Attestation is used, it may be necessary for applications using SGX to re-provision the platform with an updated SGX platform attestation key after this update is installed. This updated attestation key allows the platform to demonstrate that it is up to date.

Acknowledgements: 

This issue was discovered by Intel.

Revision history: 

Revision
Date
Description
1.0
25-July-2017
Initial Release
1.1
04-Aug-2017
Corrected typos

CVE Name:  CVE-2017-5691

Disclaimer:

INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH INTEL® PRODUCTS. YOUR USE OF THE INFORMATION IN THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. INTEL RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT.



Reporting a security issue

If you have information about a security issue or vulnerability with an Intel product, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

  • The products and versions affected
  • Detailed description of the vulnerability
  • Information on known exploits

  • A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

  • Vulnerability handling guidelines

  • Need product support?
    The secure@intel.com e-mail address should only be used for reporting security issues.

    If you...
  • Have questions about the security features of an Intel product
  • Require technical support
  • Want product updates or patches

  • Please visit Support & Downloads.