Load Value Injection / CVE-2020-0551 / INTEL-SA-00334

Name
Load Value Injection / CVE-2020-0551 / INTEL-SA-00334
Tracking Number
2019-002
First Publish Date
25 Mar 2020
Date of Current Status
25 Mar 20200
Next Planned Update
01 Apr 2020
Description
A vulnerability in Intel processors with SGX (Intel Software Guard Extensions) potentially could allow exfiltration of data from SGX enclaves.
What You Need To Know?
Security researchers reported a flaw in SGX enabled CPUs that may allow an attacker with local user access the ability to read from SGX enclaves that would normally not be accessible. The vulnerability, Load Value Injection (LVI), is tracked by CVE-2020-0551 and Intel-SA-00334. As of this time the CVE status is awaiting analysis by the NIST National Vulnerability Database.

 

Currently there are no known exploit vectors, beyond a theoretical proof of concept. Like previous speculative execution vulnerabilities such as Spectre and Meltdown these types of attacks cannot be used to compromise a computer system by themselves. Additionally, Intel has performed deep analysis and states LVI attacks are not practical in real-world environments.

Local system access is required to exploit vulnerabilities such as LVI, Spectre, Meltdown, and related variants. An attacker would need to gain access to the operating system either directly or by convincing an unsuspecting user to execute malicious code that is capable of evading security controls.

Security experts including SANS have concluded the systems at highest risk are multi-user multi-tenant operating systems such as hypervisor and cloud infrastructures.

What is Xerox Doing About This?
Xerox devices are closed systems based on embedded platforms. Several layers of security controls prevent installation of unauthorized software on Xerox devices:
  • Digitally signed software
  • McAfee whitelisting protection embedded into office devices
  • Onboard software verification

We will continue to monitor the situation and act accordingly to protect our provisions of products to you both now and in the future.

Impact
The risk to Xerox devices is very low for reasons outlined above. Xerox devices are not vulnerable to this type of attack vector. Xerox Software Applications are not impacted. NIST is still assessing and Xerox will continue to monitor and issue updates.
What Should You Do?
We recommend ensuring devices are updated to current firmware and that appropriate security best practices/controls are applied to Xerox devices and environment. Latest device firmware can be found under Support & Drivers on Xerox.com.

 

Always consult with your IT department as appropriate.