Joanna Rutkowska

**Name of the Vulnerable Software and Affected Versions** Intel Trusted Execution Technology (TXT) SINIT Authenticated Code Modules (ACM) versions prior to 2nd gen i5 i7 SINIT 51.BIN Intel Trusted Execution Technology (TXT) SINIT Authenticated Code Modules (ACM) versions prior to i5 i7 DUAL SINIT 51.BIN Intel Trusted Execution Technology (TXT) SINIT Authenticated Code Modules (ACM) versions prior to i7 QUAD SINIT 51.BIN Intel Trusted Execution Technology (TXT) SINIT Authenticated Code Modules (ACM) versions prior to GM45 GS45 PM45 SINIT 51.BIN Intel Trusted Execution Technology (TXT) SINIT Authenticated Code Modules (ACM) versions prior to Q35 SINIT 51.BIN Intel Trusted Execution Technology (TXT) SINIT Authenticated Code Modules (ACM) versions prior to SINIT ACM 1.1 **Description** A buffer overflow issue exists in Intel Trusted Execution Technology (TXT) SINIT Authenticated Code Modules (ACM) that allows local users to bypass the Trusted Execution Technology protection mechanism. This issue can be exploited via unspecified vectors, allowing users to perform other unspecified SINIT ACM functions. **Recommendations** For Intel Q67 Express, C202, C204, C206 Chipsets, and Mobile Intel QM67, and QS67 Chipset, update to 2nd gen i5 i7 SINIT 51.BIN or later. For Intel Q57, 3450 Chipsets and Mobile Intel QM57 and QS57 Express Chipset, update to i5 i7 DUAL SINIT 51.BIN and i7 QUAD SINIT 51.BIN or later. For Mobile Intel GM45, GS45, and PM45 Express Chipset, update to GM45 GS45 PM45 SINIT 51.BIN or later. For Intel Q35 Express Chipsets, update to Q35 SINIT 51.BIN or later. For Intel 5520, 5500, X58, and 7500 Chipsets, update to SINIT ACM 1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Xen versions 4.0 through 4.0.1 Xen versions 4.1 through 4.1.0 **Description** The issue allows guest OS users to gain host OS privileges by using DMA to generate MSI interrupts by writing to the interrupt injection registers, specifically when using PCI passthrough on Intel VT-d chipsets that do not have interrupt remapping. **Recommendations** For Xen versions 4.0 through 4.0.1, update to version 4.0.2 or later. For Xen versions 4.1 through 4.1.0, update to version 4.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Intel chipsets versions (including Q35, GM45, PM45 Express, Q45, and Q43 Express) in the SINIT Authenticated Code Module (ACM) **Description** The issue allows local users to bypass the Trusted Execution Technology protection mechanism and gain privileges by modifying the MCHBAR register to point to an attacker-controlled region. This prevents the SENTER instruction from properly applying VT-d protection while an MLE is being loaded. **Recommendations** For Intel Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets, consider restricting access to the MCHBAR register to prevent modification and minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intel Desktop and Intel Mobile Boards with BIOS firmware versions DQ35JO, DQ35MP, DP35DP, DG33FB, DG33BU, DG33TL, MGM965TW, D945GCPE, and DX38BT **Description** The issue allows local administrators with ring 0 privileges to gain additional privileges and modify code that is running in System Management Mode, or access hypervisory memory. This can be achieved by accessing certain remapping registers, as demonstrated at Black Hat 2008 using Xen 3.3. **Recommendations** For Intel Desktop and Intel Mobile Boards with BIOS firmware versions DQ35JO, DQ35MP, DP35DP, DG33FB, DG33BU, DG33TL, MGM965TW, D945GCPE, and DX38BT, consider restricting access to the BIOS firmware to prevent unauthorized modifications. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intel system software for Trusted Execution Technology (TXT) (affected versions not specified) **Description** The issue allows attackers to bypass intended loader integrity protections. This is demonstrated by exploitation of tboot. As of the given date, the only disclosure is a vague pre-advisory with no actionable information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xen version 3.3 **Description** A heap-based buffer overflow issue exists in the flask security label function in Xen, when compiled with the XSM:FLASK module. This allows unprivileged domain users (domU) to execute arbitrary code via the flask op hypercall. **Recommendations** For Xen version 3.3, at the moment, there is no information about a newer version that contains a fix for this vulnerability.