How To Fix CVE-2021-0186 The New SmashEx CPU Vulnerability?

Researchers from a group of academics from ETH Zurich, the National University of Singapore, and the Chinese National University of Defense Technology disclosed a vulnerability (CVE-2021-0186) that affects Intel processors. As per the reach, attackers could abuse the vulnerability (CVE-2021-0186) not only to steal sensitive information stored within enclaves but also can run arbitrary code on vulnerable systems. Let’s see how to fix CVE-2021-0186 the new SmashEx CPU vulnerability in this post.

What Is Software Guard Extensions (SGX) In Intel Processors?

Intel introduced Software Guard eXtensions in short SGX with the release of Intel’s Skylake processors. SGX was primarily designed to run selected application modules in a completely isolated memory, which is called an enclave or a Trusted Execution Environment (TEE). The main purpose of SGX is to protect application modules from high-privilege processes like the operating system. However, Intel allowed operating system processes to interrupt the enclave execution through configurable hardware exceptions for normal operations. This allows enclave runtimes like Intel SGX SDK and Microsoft Open Enclave to support enclave execution interruptions which lead enclaves to live with re-entrancy vulnerabilities.

What Is SmashEx Attack?

“SmashEx is an attack that exploits re-entrancy vulnerabilities in the exception handling designs of Intel SGX (Software Guard eXtensions) enclave runtimes.” This resulted in Improper input validation vulnerabilities in the Intel(R) SGX SDK applications. This enables adversaries to steal sensitive information stored within enclaves or perform arbitrary code execution inside the victim enclave.

Summary of CVE-2021-0186 The New SmashEx CPU Vulnerability:

Products Affected by CVE-2021-0186 The New SmashEx CPU Vulnerability:

Some Intel Processor modules and software enclave runtime applications are prone to CVE-2021-0186vulnerability. Software:

Intel® Processors supporting SGX2:

How to Fix CVE-2021-0186 The New SmashEx CPU Vulnerability?

Both Intel and Microsoft have rolled out patches to their enclave runtimes to Fix CVE-2021-0186 the new SmashEx CPU vulnerability. Inter recommends Windows users to update Intel® SGX SDK to version 2.13 or later and Linux users to update Intel® SGX SDK to version 2.14 or later.

How To Fix CVE-2021-0186 On Windows:

Microsoft addressed this CVE-2021-0186 vulnerability in its July month security updates with Open Enclave version 0.17.1 of the SDK. Those who have installed Open Enclave version 0.17.1 with July month patches they are considered safe from SmashEx CPU attacks. However, the results are expected to be presented next month at the ACM conference.

How To Fix CVE-2021-0186 On Linux:

For Linux users, Intel released Intel SGX SDK v 2.14 and v 2.15 in July and Sep 2021 respectively. You can download the packages for your Linux distributions and install on them. Read the release notes for more information.

How To Install Intel SGX SDK On Linux?

Please refer to the

for more details.

To install Intel SGX SDK On Linux:

Step 1. Update repositories in Ubuntu

Use this command to update the repositories on Ubuntu.

$ sudo apt update

Step 2. Download the Intel SGX bin package

Create a directory to hold the Intel SGX SDK file. You can keep this on your home directory as well.

$ sudo mkdir /opt/sdk/linux/installer/bin
$ cd /opt/sdk/linux/installer/bin
$ sudo wget https://download.01.org/intel-sgx/sgx-linux/2.15/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.15.100.3.bin

Step 3. Install the Intel SGX bin package

Install the required packages if you don’t have them on your server. Change the permission of the downloaded SGX SDK file and set it to execution. Invoke the installation with ‘./’ upon enabling the execution permission.

$ sudo apt-get install build-essential python
$ sudo chmod +x sgx_linux_x64_sdk_2.15.100.3.bin
$ sudo ./sgx_linux_x64_sdk_2.15.100.3.bin

Step 4. Set up the needed environment variables before compiling Intel SGX installation

Run this command to set up the needed environment variables before compiling your code. Then change the directory to /opt/intel/sgxsdk/SampleCode/LocalAttestation.

$ source /opt/intel/sgxsdk/environment
$ cd /opt/intel/sgxsdk/SampleCode/LocalAttestation

Step 5. Intel SGX package built-in simulation mode

Run this command to build the code sample in Simulation mode to make sure the package works well.

$ sudo make SGX_MODE=SIM

Step 6. Compile and run each code sample in Simulation mode

Run this command to compile and run code sample in Simulation mode to make sure the package works well.

$ ./app

Note: For hardware build, you may need to install SDK Driver and SDK PSW packages.

This is how you can fix CVE-2021-0186 the new SmashEx CPU Vulnerability on your Windows and Linux machines.

We hope this post helps you in fixing CVE-2021-0186 the new SmashEx CPU Vulnerability on your Windows and Linux machines. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.