Information disclosure in Intel products - CVE-2022-21166
Published: June 14, 2022 / Updated: July 20, 2022
Vulnerability identifier: #VU64366
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-21166
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Intel
Affected software:
Intel SGX DCAP for Linux
Intel SGX PSW for Linux
Intel SGX DCAP for Windows
Intel SGX PSW for Windows
Intel SGX SDK for Linux
Intel SGX SDK for Windows
Intel SGX DCAP for Linux
Intel SGX PSW for Linux
Intel SGX DCAP for Windows
Intel SGX PSW for Windows
Intel SGX SDK for Linux
Intel SGX SDK for Windows
Detailed vulnerability description
The vulnerability allows an attacker to gain access to potentially sensitive information.
The vulnerability exists in Intel processors due to excessive data output when DirectPath I/O (PCI-Passthrough) is utilized. An attacker (both local and remote) with administrative access to a virtual machine that has an attached DirectPath I/O (PCI-Passthrough) device can obtain information stored in physical memory about the hypervisor or other virtual machines that reside on the same host.
How to mitigate CVE-2022-21166
Install updates from vendor's website.