Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix CVE-2021-0186 The New SmashEx CPU Vulnerability?
October 21, 2021
|
6m

How To Fix CVE-2021-0186 The New SmashEx CPU Vulnerability?


How To Fix Cve 2021 0186 The New Smashex Cpu Vulnerability

Researchers from a group of academics from ETH Zurich, the National University of Singapore, and the Chinese National University of Defense Technology disclosed a vulnerability (CVE-2021-0186) that affects Intel processors. As per the reach, attackers could abuse the vulnerability (CVE-2021-0186) not only to steal sensitive information stored within enclaves but also can run arbitrary code on vulnerable systems. Lets see how to fix CVE-2021-0186 the new SmashEx CPU vulnerability in this post.

What Is Software Guard Extensions (SGX) In Intel Processors?

Intel introduced Software Guard eXtensions in short SGX with the release of Intels Skylake processors. SGX was primarily designed to run selected application modules in a completely isolated memory, which is called an enclave or a Trusted Execution Environment (TEE). The main purpose of SGX is to protect application modules from high-privilege processes like the operating system. However, Intel allowed operating system processes to interrupt the enclave execution through configurable hardware exceptions for normal operations. This allows enclave runtimes like Intel SGX SDK and Microsoft Open Enclave to support enclave execution interruptions which lead enclaves to live with re-entrancy vulnerabilities.

What Is SmashEx Attack?

“SmashEx is an attack that exploits re-entrancy vulnerabilities in the exception handling designs of Intel SGX (Software Guard eXtensions) enclave runtimes.This resulted in Improper input validation vulnerabilities in the Intel(R) SGX SDK applications. This enables adversaries to steal sensitive information stored within enclaves or perform arbitrary code execution inside the victim enclave.

Summary of CVE-2021-0186 The New SmashEx CPU Vulnerability:

CVEIDCVE-2021-0186
CVSS Base Score8.2
DescriptionImproper input validation in enclave runtimes like Intel SGX SDK and Microsoft Open Enclave
Advisory Category:Software
Impact of vulnerability:Escalation of Privilege
Severity rating:HIGH

Products Affected by CVE-2021-0186 The New SmashEx CPU Vulnerability:

Some Intel Processor modules and software enclave runtime applications are prone to CVE-2021-0186vulnerability. Software:

  1. Intel SGX SDK for Windows v2.12 and earlier.

  2. Intel SGX SDK for Linux v2.13 and earlier.

Intel® Processors supporting SGX2:

Code NameProduct Collection
Ice Lake Xeon-SP (HCC, XCC)3rd Gen Intel® Xeon® Scalable processor family
Ice Lake10th Generation Intel® Core™ Processor Family
Gemini LakeIntel® Pentium® Processor Silver Series, Intel® Celeron® Processor J Series, Intel® Celeron® Processor N Series

How to Fix CVE-2021-0186 The New SmashEx CPU Vulnerability?

Both Intel and Microsoft have rolled out patches to their enclave runtimes to Fix CVE-2021-0186 the new SmashEx CPU vulnerability. Inter recommends Windows users to update Intel® SGX SDK to version 2.13 or later and Linux users to update Intel® SGX SDK to version 2.14 or later.

How To Fix CVE-2021-0186 On Windows:

Microsoft addressed this CVE-2021-0186 vulnerability in its July month security updates with Open Enclave version 0.17.1 of the SDK. Those who have installed Open Enclave version 0.17.1 with July month patches they are considered safe from SmashEx CPU attacks. However, the results are expected to be presented next month at the ACM conference.

How To Fix CVE-2021-0186 On Linux:

For Linux users, Intel released Intel SGX SDK v 2.14 and v 2.15 in July and Sep 2021 respectively. You can download the packages for your Linux distributions and install on them. Read the release notes for more information.

How To Install Intel SGX SDK On Linux?

Please refer to the

for more details.

To install Intel SGX SDK On Linux:

Step 1. Update repositories in Ubuntu

Use this command to update the repositories on Ubuntu.

$ sudo apt update

Step 2. Download the Intel SGX bin package

Create a directory to hold the Intel SGX SDK file. You can keep this on your home directory as well.

$ sudo mkdir /opt/sdk/linux/installer/bin
$ cd /opt/sdk/linux/installer/bin
$ sudo wget https://download.01.org/intel-sgx/sgx-linux/2.15/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.15.100.3.bin

Step 3. Install the Intel SGX bin package

Install the required packages if you dont have them on your server. Change the permission of the downloaded SGX SDK file and set it to execution. Invoke the installation with ./ upon enabling the execution permission.

$ sudo apt-get install build-essential python
$ sudo chmod +x sgx_linux_x64_sdk_2.15.100.3.bin
$ sudo ./sgx_linux_x64_sdk_2.15.100.3.bin

Step 4. Set up the needed environment variables before compiling Intel SGX installation

Run this command to set up the needed environment variables before compiling your code. Then change the directory to /opt/intel/sgxsdk/SampleCode/LocalAttestation.

$ source /opt/intel/sgxsdk/environment
$ cd /opt/intel/sgxsdk/SampleCode/LocalAttestation

Step 5. Intel SGX package built-in simulation mode

Run this command to build the code sample in Simulation mode to make sure the package works well.

$ sudo make SGX_MODE=SIM

Step 6. Compile and run each code sample in Simulation mode

Run this command to compile and run code sample in Simulation mode to make sure the package works well.

$ ./app

Note: For hardware build, you may need to install SDK Driver and SDK PSW packages.

This is how you can fix CVE-2021-0186 the new SmashEx CPU Vulnerability on your Windows and Linux machines.

We hope this post helps you in fixing CVE-2021-0186 the new SmashEx CPU Vulnerability on your Windows and Linux machines. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe