A group of researchers discovered a new vulnerability that impacts Intel Software Guard eXtensions (SGX). Intel SGX allows user-level code to allocate private regions of memory called enclaves. Researchers devised a proof-of-concept attack called SmashEx that allows them to gain access to sensitive information stored within enclaves.
The Intel SGX bug
Intel SGX is a built-in security mechanism designed to secure the enclave code from any compromised OS. However, the SGX design permits the OS to interrupt the enclave execution through configurable hardware exceptions at any point.
Hacker noted that this feature allows the enclave runtimes (such as Microsoft Open Enclave and Intel SGX SDK) to handle any exceptions in the signals, opening up the enclaves to additional vulnerabilities known as re-entrancy bugs.
The new vulnerability tracked by Intel as CVE-2021-0186 allows attackers to inject an asynchronous exception during the code execution.
What happens in SmashEx attack?
Based on the findings, researchers created a proof-of-concept attack called SmashEx to demonstrate how this vulnerability can be exploited.
The SmashEx attack exploits the enclave SDKs, which are not able to handle re-entrance of interrupts in a secure manner.
Upon infection, the attack allows an adversary to execute arbitrary code or steal sensitive data such as RSA private keys.
An attacker can stop or interrupt the ongoing code execution, initiate or re-enter another execution in the middle, and complete both executions simultaneously.
Intel has already patched this vulnerability in SGX SDK versions 2.13 for Windows and 2.14 for Linux. Microsoft, tracked this vulnerability as CVE-2021-33767, has released the update with Open Enclave version 0.17.1 of the SDK.
Researchers have stressed that in real-world scenarios, an increasing number of areas use enclaves that implement asynchronous exceptions. For all such scenarios, it is important to patch devices with the latest updates. Moreover, they have suggested implementing atomicity at the OS-enclave interface to reduce the risk of such attacks.