Full Report
HPE security advisory (AV26-361)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in HPE Cray Supercomputing EX420 Compute Blade (Intel TDX)
## CVE Details
*Note: The primary advisory (AV26-361) references the Intel-SA-01397 bundle. Individual CVEs within this bundle typically include:*
- **CVE ID:** CVE-2023-45544, CVE-2023-47020 (and others associated with INTEL-SA-01397)
- **CVSS Score:** Up to 7.2 (High)
- **CWE:** CWE-20 (Improper Input Validation), CWE-200 (Exposure of Sensitive Information)
## Affected Systems
- **Products:** HPE Cray Supercomputing EX420 Compute Blade (Servers using Intel Processors)
- **Versions:** Versions prior to 1.91
- **Configurations:** Systems utilizing Intel Trust Domain Extensions (Intel TDX) and Intel processors as part of the 2026.1 Intel Platform Update (IPU) cycle.
## Vulnerability Description
The vulnerabilities exist within the Intel Trust Domain Extensions (TDX) module and associated firmware. These flaws are generally caused by improper input validation or logic errors within the Trusted Execution Environment (TEE). In the context of the EX420 Compute Blade, these vulnerabilities could allow for unauthorized escalation of privilege, information disclosure, or denial of service by bypassing the hardware-level isolation provided by Intel TDX.
## Exploitation
- **Status:** Not currently reported as exploited in the wild.
- **Complexity:** High (Typically requires the ability to execute code within a specific domain or guest environment to attempt a breakout or data leak).
- **Attack Vector:** Local (Most TDX vulnerabilities require local access to a guest VM or the host to trigger).
## Impact
- **Confidentiality:** High (Potential leakage of data from protected "Trust Domains").
- **Integrity:** High (Potential unauthorized modification of state within the secure enclave).
- **Availability:** Medium (Potential for system crashes or hangs during exploitation attempts).
## Remediation
### Patches
HPE recommends updating the HPE Cray Supercomputing EX420 Compute Blade firmware to the following version:
- **Version 1.91 or later**
### Workarounds
- No specific software-level workarounds are provided. Remediation requires firmware-level updates to address the underlying Intel microcode and TDX module flaws.
- Follow the principle of least privilege for virtualized workloads to minimize the risk of a malicious actor gaining the initial foothold required to attempt an exploit.
## Detection
- **Indicators of Compromise:** Unusual stability issues in TD-enabled virtual machines or unexpected processor exceptions.
- **Detection methods and tools:** Monitor system logs for hardware errors related to the Intel TDX module. Use vendor-provided tools (such as Intel’s capability check tools) to verify if the CPU microcode and firmware are at the patched revision.
## References
- HPE Security Advisory: hxxps[://]support[.]hpe[.]com/hpesc/public/docDisplay?docId=hpesbcr05043en_us
- Intel Security Advisory: hxxps[://]www[.]intel[.]com/content/www/us/en/security-center/advisory/intel-sa-01397[.]html
- Canadian Centre for Cyber Security Alert: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/hpe-security-advisory-av26-361