• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2021-0186 The New SmashEx CPU Vulnerability?
How to Fix CVE-2021-0186 The New SmashEx CPU Vulnerability

Researchers from a group of academics from ETH Zurich, the National University of Singapore, and the Chinese National University of Defense Technology disclosed a vulnerability (CVE-2021-0186) that affects Intel processors. As per the reach, attackers could abuse the vulnerability (CVE-2021-0186) not only to steal sensitive information stored within enclaves but also can run arbitrary code on vulnerable systems. Let’s see how to fix CVE-2021-0186 the new SmashEx CPU vulnerability in this post.

What Is Software Guard Extensions (SGX) In Intel Processors?

Intel introduced Software Guard eXtensions in short SGX with the release of Intel’s Skylake processors. SGX was primarily designed to run selected application modules in a completely isolated memory, which is called an enclave or a Trusted Execution Environment (TEE). The main purpose of SGX is to protect application modules from high privilege processes like the operating system. However, Intel allowed operating system processes to interrupt the enclave execution through configurable hardware exceptions for normal operations. This allows enclave runtimes like Intel SGX SDK and Microsoft Open Enclave to support enclave execution interruptions which lead enclaves to live with re-entrancy vulnerabilities.

What Is SmashEx Attack?

“SmashEx is an attack that exploits re-entrancy vulnerabilities in the exception handling designs of Intel SGX (Software Guard eXtensions) enclave runtimes.This result in Improper input validation vulnerabilities in the Intel(R) SGX SDK applications. This enables adversaries to steal sensitive information stored within enclaves or perform arbitrary code execution inside the victim enclave.

Summary of CVE-2021-0186 The New SmashEx CPU Vulnerability:

CVEIDCVE-2021-0186
CVSS Base Score8.2
DescriptionImproper input validation in enclave runtimes like Intel SGX SDK and Microsoft Open Enclave
Advisory Category:Software
Impact of vulnerability:Escalation of Privilege
Severity rating:HIGH

Products Affected by CVE-2021-0186 The New SmashEx CPU Vulnerability:

Some Intel Processor modules and software enclave runtime applications are prone to CVE-2021-0186vulnerability. Software:

  1. Intel SGX SDK for Windows v2.12 and earlier.
  2. Intel SGX SDK for Linux v2.13 and earlier.

Intel® Processors supporting SGX2:

Code NameProduct Collection
Ice Lake Xeon-SP (HCC, XCC)3rd Gen Intel® Xeon® Scalable processor family
Ice Lake10th Generation Intel® Core™ Processor Family
Gemini LakeIntel® Pentium® Processor Silver Series, Intel® Celeron® Processor J Series, Intel® Celeron® Processor N Series

How to Fix CVE-2021-0186 The New SmashEx CPU Vulnerability?

Both Intel and Microsoft have rolled out patches to their enclave runtimes to Fix CVE-2021-0186 the new SmashEx CPU vulnerability. Inter recommends Windows users to update Intel® SGX SDK to version 2.13 or later and Linux users to update Intel® SGX SDK to version 2.14 or later.

How To Fix CVE-2021-0186 On Windows:

Microsoft addressed this CVE-2021-0186 vulnerability in its July month’s security updates with Open Enclave version 0.17.1 of the SDK. Those who have installed Open Enclave version 0.17.1 with July months patches they are considered safe from SmashEx CPU attacks. However, the results are expected to be presented next month at the ACM conference.

See Also  How to Fix CVE-2021-1588- A Denial of Service Vulnerability in Cisco NX-OS Software

How To Fix CVE-2021-0186 On Linux:

For Linux users, Intel released Intel SGX SDK v 2.14 and v 2.15 in July and Sep 2021 respectively. You can download the packages for your Linux distributions and install on them. Read the release notes for more information.

DetailsRelease DateDownloads
Intel SGX Linux 2.15 Release

Release Notes
Sep 30, 2021Intel(R) SGX Installers for Ubuntu* 18.04
Intel(R) SGX Installers for Ubuntu* 20.04
Intel(R) SGX Installers for Red Hat* Enterprise Linux* Server 8.2
Intel(R) SGX Installers for CentOS* 8.2
Intel(R) SGX Eclipse* Plug-in
SHA256SUM for Installers and Plug-in
Prebuilt AE Binaries
Prebuilt Optimized Libraries Binaries
Prebuilt as/ld/objdump/gold Binaries
SHA256SUM for Prebuilt Binaries
Documentation
Intel SGX Linux 2.14 Release
Version: Linux 2.14 Open Source
Release Notes
Jul 13, 2021Intel(R) SGX Installers for Ubuntu* 18.04
Intel(R) SGX Installers for Ubuntu* 20.04
Intel(R) SGX Installers for Red Hat* Enterprise Linux* Server 8.2
Intel(R) SGX Installers for Red Hat* Enterprise Linux* Server 7.6
Intel(R) SGX Installers for Fedora 31 Server
Intel(R) SGX Installers for CentOS* 8.2
Intel(R) SGX Eclipse* Plug-in
SHA256SUM for Installers and Plug-in
Prebuilt AE Binaries
Prebuilt Optimized Libraries Binaries
Prebuilt as/ld/objdump/gold Binaries
SHA256SUM for Prebuilt Binaries
Documentation

How To Install Intel SGX SDK On Linux?

Please refer to the Intel SGX SDK installation guide for more details.

Time needed: 10 minutes.

Install Intel SGX SDK On Linux

  1. Update repositories in Ubuntu

    Use this command to update the repositories on Ubuntu.

    $ sudo apt update

    update repositories in Ubuntu

  2. Download the Intel SGX bin package

    Create a directory to hold the Intel SGX SDK file. You can keep this on your home directory as well.

    $ sudo mkdir /opt/sdk/linux/installer/bin
    $ cd /opt/sdk/linux/installer/bin
    $ sudo wget https://download.01.org/intel-sgx/sgx-linux/2.15/distro/ubuntu20.04-server/sgx_linux_x64_sdk_2.15.100.3.bin


    Download the Intel SGX bin package

  3. Install the Intel SGX bin package

    Install the required packages if you don’t have them on your server. Change the permission of the downloaded SGX SDK file and set it to execution. Invoke the installation with ‘./’ upon enabling the execution permission.

    $ sudo apt-get install build-essential python

    $ sudo chmod +x sgx_linux_x64_sdk_2.15.100.3.bin
    $ sudo ./sgx_linux_x64_sdk_2.15.100.3.bin


    Install the Intel SGX bin package

  4. Set up the needed environment variables before compiling Intel SGX installation

    Run this command to set up the needed environment variables before compiling your code. Then change the directory to /opt/intel/sgxsdk/SampleCode/LocalAttestation.

    $ source /opt/intel/sgxsdk/environment
    $ cd /opt/intel/sgxsdk/SampleCode/LocalAttestation


    set up the needed environment variables before compiling Intel SGX installation

  5. Intel SGX package built-in simulation mode

    Run this command to build the code sample in Simulation mode to make sure the package works well.

    $ sudo make SGX_MODE=SIM

    Intel SGX package built in simulation mode

  6. Compile and run each code sample in Simulation mode

    Run this command to compile and run code sample in Simulation mode to make sure the package works well.

    $ ./app

    Compile and run each code sample in Simulation mode

Note: For hardware build you may need to install SDK Driver and SDK PSW packages.

This is how you can fix CVE-2021-0186 the new SmashEx CPU Vulnerability on your Windows and Linux machines.

We hope this post would help you in fixing CVE-2021-0186 the new SmashEx CPU Vulnerability on your Windows and Linux machines. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

See Also  How to Fix CVE-2023-1874- A High Severity Privilege Escalation Vulnerability in WP Data Access WordPress Plugin?

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.