Information about a new attack on Intel processors - AEPIC Leak (CVE-2022-21233), leading to the leakage of confidential data from isolated enclaves of Intel SGX (Software Guard eXtensions) has been disclosed. The issue affects 10th, 11th and 12th generation Intel CPUs (including the new Ice Lake and Alder Lake series) and is caused by an architectural flaw that allows access to uninitialized data left in the APIC (Advanced Programmable Interrupt Controller) registers after past operations.
Unlike attacks of the Specter class, a leak in AEPIC Leak occurs without the use of third-party recovery methods - information about confidential data is transmitted directly by obtaining the contents of the registers reflected in the MMIO (memory-mapped I / O) memory page. In general, the attack allows you to determine the data transferred between caches of the second and last levels, including the contents of registers and the results of read operations from memory, which were previously processed on the same CPU core.
Since the attack requires access to the physical pages of the APIC MMIO, i.e. administrator privileges are required, the method is limited to attacking SGX enclaves to which the administrator does not have direct access. The researchers have developed a toolkit that allows, within a few seconds, to determine the AES-NI and RSA keys stored in SGX, as well as the Intel SGX attestation keys and pseudo-random number generator parameters. The code for the attack is published on GitHub.
Intel announced that it is preparing a fix in the form of a microcode update that adds support for buffer flushing and adds additional measures to protect enclave data. A new release of the SDK for Intel SGX has also been prepared with changes to prevent data leaks. Developers of operating systems and hypervisors are encouraged to use the x2APIC mode instead of the legacy xAPIC mode, which uses MSR registers instead of MMIO to access APIC registers.
Source: opennet.ru