This article is more than 1 year old
Intel: Listen up, you NUC-leheads! Mini PCs and compute sticks just got a major security fix
Chipzilla patches firmware, drivers, SDKs
Hot on the heels of Patch Tuesday fixes from Microsoft, Apple, Adobe, and SAP, Intel has dropped its monthly security bundle to address a series of seven CVE-listed vulnerabilities in its firmware and software.
The most serious of the seven is the patch for CVE-2019-11162, a vulnerability in the Intel Compute Improvement Program software. This program is an opt-in diagnostic tool that collects detailed information about the hardware it's running on and less-detailed information about activities like type of sites browsed, applications used and what region of the world the computer is being used in.
According to Intel, one of the drivers in the tool is actually the source of the vulnerability, which while serious is not exploitable over the network, at least. It can be exploited by a bad user or malware already on a system to take control of the box via privilege escalation, or crash it or make it leak information.
"Insufficient access control in hardware abstraction in SEMA driver for Intel Computing Improvement Program before version 2.4.0.04733 may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access," Chipzilla says in its summary of the flaw.
Users and admins are advised to update their software to version 2.4.0.04733 or later. Credit for the discovery was given to security researcher Jesse Michael.
Another diagnostic tool, the Intel Processor Identification Utility, was the host of CVE-2019-11163, a flaw that would allow a local attacker to leak information, crash the thing, or elevate their privileges.
The updated version is 6.1.0731. Jesse Michael gets credit for finding this bug as well.
Those using Intel's mini-computers or compute stick hardware will want to install the update for CVE-2019-11140, a flaw in the Intel NUC firmware. That vulnerability was blamed on "insufficient session validation" and would allow for elevation of privilege and information disclosure, not the sort of things you want happening to your board's firmware.
The fixed BIOS version is 0066 for NUC boards, 0060 for Compute Stick, and 0037 for Intel Compute Card. Credit goes to researcher Dmitry Frolov.
This summer's hottest sequels: BlueKeep II, III, IV and V – the latest wormable RDP holes in Microsoft WindowsREAD MORE
Meanwhile, Intel has gone so far as to flat out cancel RAID Web Console 2, the source of CVE-2019-0173, an authentication bypass flaw accessible via a network connection. Admins will want to update to RAID Web Console 3 version 7.009.011.000 or later. Credit to trotmaster99.
The Intel Authenticate software has been patched for CVE-2019-11143, a local escalation of privilege vulnerability traced back to improper permissions in the software installer. Users and admins will want to update to version 3.8 or later. Credit for the discovery goes to Tunisian security researcher SaifAllah benMassaoud.
Driver and Support Assistant was updated to 220.127.116.11 to patch against CVE-2019-11146, an elevation of privilege bug discovered by Hacker One bug hunter Jakub Palaczynski and CyberArk's researcher Eran Shimony.
The Intel Remote Displays SDK got a patch for CVE-2019-11148, an elevation of privilege bug discovered by flaw finder Marius Gabriel Mihai. Patched versions are 2.0.1 R2 and later. ®