INTEL-SA-00086: Unprivileged User Exploitation

TL;DR

While INTEL-SA-00086 describes several vulnerabilities affecting Intel processors, most require privileged access (root/administrator) to exploit. However, a subset can be triggered by unprivileged users through specific software configurations or malicious code execution within a user context.

Understanding the Vulnerabilities

INTEL-SA-00086 covers issues in Intel Software Guard Extensions (SGX). These vulnerabilities relate to how SGX handles memory management and enclave security. The key areas are:

• Invalid Memory Access: Flaws allowing access to protected memory regions within an enclave.
• Enclave Information Disclosure: Potential leakage of sensitive data from enclaves.
• Denial of Service (DoS): Causing the SGX system to crash or become unstable.

The severity varies depending on the specific vulnerability and the processor generation.

Can Unprivileged Users Exploit These?

Yes, in certain scenarios. Here’s a breakdown:

1. Software Vulnerabilities Leveraging SGX

1. Malicious Applications: If an application uses the Intel SGX SDK and contains vulnerabilities (e.g., buffer overflows, format string bugs) within its enclave code, an unprivileged user could exploit these flaws to compromise the enclave’s security. This is not a direct processor vulnerability but relies on poor software implementation.

   // Example: Vulnerable enclave code (simplified)
   char buffer[64];
   sprintf(buffer, "%s", userInput); //userInput from user input - potential overflow

2. Compromised Libraries: If SGX-enabled applications rely on shared libraries with vulnerabilities, an attacker could inject malicious code into those libraries to compromise the enclave.

2. Side-Channel Attacks

Several side-channel attacks can be performed by unprivileged users without needing root access. These attacks don’t directly exploit a flaw in the processor but infer information about the enclave’s operation based on timing variations, power consumption, or other observable characteristics.

• Cache Timing Attacks: By carefully measuring cache hit/miss patterns during enclave execution, an attacker can potentially recover sensitive data.
• Branch Prediction Analysis: Observing branch prediction behaviour can reveal information about the code being executed within the enclave.

These attacks are complex and require significant expertise to implement effectively.

3. Specific Vulnerability Examples (Unprivileged Exploitation Possible)

1. CVE-2019-11091: This vulnerability, related to SGX enclave initialization, can be triggered by a user-mode application if it improperly handles the enclave creation process.
   

   // Example (conceptual): Improper enclave creation handling
   if (enclave_creation_failed) {
     // Insufficient error checking - could allow malicious code execution
   }

2. Certain DoS vulnerabilities: Some DoS attacks can be triggered by sending specially crafted input to an SGX-enabled application, causing it to crash. This doesn’t compromise data but disrupts service.

Mitigation Steps

1. Keep Software Updated: Regularly update your operating system, Intel SGX SDK, and all applications that use SGX.
2. Use Reputable Software Sources: Download software only from trusted sources to avoid malicious code injection.
3. Enable Security Features: Ensure that security features like memory protection are enabled in your operating system.
4. Monitor System Activity: Look for unusual processes or network activity that could indicate a compromise.
5. Apply Intel Microcode Updates: Install the latest Intel microcode updates to address known processor vulnerabilities. You can often do this through your OS vendor’s update mechanism (e.g., Windows Update, Linux kernel updates).

   # Example (Linux - check current microcode version)
   dmesg | grep 'microcode'`