Allele Security Alert
ASA-2019-00656
Identifier(s)
ASA-2019-00656, CVE-2019-11157
Title
Improper conditions check in voltage settings for some Intel Processors
Vendor(s)
Intel
Product(s)
Intel 6th, 7th, 8th, 9th & 10th Generation Core Processors
Intel Xeon Processor E3 v5 & v6
Intel Xeon Processor E-2100 & E-2200 Families
Affected version(s)
| Product Family | Segment | CPUID | Platform ID |
| 8th Generation Intel® Core™ Processor Family | Mobile | 806 E9 | 10 |
| 8th Generation Intel® Core™ Processor Family | Mobile | 806 EC | 10 |
| 8th Generation Intel® Core™ Processor Family | Mobile | 906EA | 22 |
| 8th Generation Intel® Core™ Processor Family | Desktop | 906EA | 22 |
| 8th Generation Intel® Core™ Processor Family | Mobile | 806EA | C0 |
| 8th Generation Intel® Core™ Processor Family | Desktop | 906EB | 2 |
| Intel® Celeron® Processor G Series | Desktop | 906EB | 2 |
| 8th Generation Intel® Core™ Processor Family | Desktop | 906EA | 22 |
| Intel® Xeon® Processor E Family | Server | 906EA | 22 |
| Intel® Xeon® Processor E Family | workstation | 906EA | 22 |
| Intel® Xeon® Processor E Family | AMT Server | 906EA | 22 |
| Intel® Xeon® Processor E Family | Server | 906EA | 22 |
| Intel® Xeon® Processor E Family | workstation | 906EA | 22 |
| Intel® Xeon® Processor E Family | AMT Server | 906EA | 22 |
| 9th Generation Intel® Core™ Processor Family | Desktop | 906ED | 22 |
| 9th Generation Intel® Core™ Processor Family | Desktop | 906ED | 22 |
| 10th Generation Intel® Core™ Processor Family | Mobile | 806EC | 94 |
| 10th Generation Intel® Core™ Processor Family | Mobile | A0660 | 80 |
| 8th Generation Intel® Core™ Processor Family | Mobile | 906 E9 | 2A |
| 7th Generation Intel® Core™ Processor Family | Mobile | 906 E9 | 2A |
| 8th Generation Intel® Core™ Processor Family | Mobile | 806EA | C0 |
| 7th Generation Intel® Core™ Processor Family | Desktop | 906 E9 | 2A |
| 7th Generation Intel® Core™ Processor Family | Mobile | 806 E9 | C0 |
| 7th Generation Intel® Core™ Processor Family | Mobile | 806 E9 | C0 |
| Intel® Core™ X-series Processors | Desktop | 906 E9 | 2A |
| Intel® Xeon® Processor E3 v6 Family | Mobile/server/Emb | 906 E9 | 2A |
| 7th Generation Intel® Core™ Processor Family | Mobile | 806 E9 | C0 |
| 6th Generation Intel® Core™ Processor Family | Mobile | 506 E3 | 36 |
| 6th Generation Intel® Core™ Processor Family | Desktop | 506 E3 | 36 |
| 6th Generation Intel® Core™ Processors | Mobile | 406 E3 | C0 |
| 6th Generation Intel® Core™ Processor Family | Mobile | 406 E3 | C0 |
| Intel® Xeon® Processor E3 v5 Family | Server/Embed | 506 E3 | 36 |
| 6th Generation Intel® Core™ Processors | Mobile | 406 E3 | C0 |
| 8th Generation Intel® Core™ Processors | Mobile | 806EB | D0 |
| 8th Generation Intel® Core™ Processors | Mobile | 806EC | 80 |
Fixed version(s)
Intel recommends that users of the affected Intel® Processors update to the latest BIOS version provided by the system manufacturer that addresses these issues.
Proof of concept
Yes
Description
Improper conditions check in voltage settings for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege and/or information disclosure via local access.
Technical details
Unknown
Credits
David Oswald, Flavio Garcia (Universidade de Birmingham); Jo Van Bulck (KU Lovaina); Daniel Gruss (TU Graz); Zijo Kenjar, Tommaso Frassetto, Ahmed-Reza Sadeghi (Universidade Técnica de Darmstadt); David Gens, Michael Franz (Universidade da Califórnia, Irvine); Gang Qu (Universidade de Maryland); Yongqiang Lyu, Dongsheng Wang (Universidade de Tsinghua); Pengfei Qiu; Researchers from University of Birmingham, KU Leuven and TU Graz; Researchers from University of Maryland and Tsinghua University.
Reference(s)
Intel® Processors Voltage Settings Modification Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00289.html
Plundervolt
https://plundervolt.com/
Plundervolt: Software-based Fault Injection Attacks against Intel SGX
https://plundervolt.com/doc/plundervolt.pdf
Plundervolt
https://github.com/KitMurdock/plundervolt
CVE-2019-11157
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11157
CVE-2019-11157
https://nvd.nist.gov/vuln/detail/CVE-2019-11157
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 14, 2020