Intel: Listen up, you NUC-leheads! Mini PCs and compute sticks just got a major security fix

Chipzilla patches firmware, drivers, SDKs

Hot on the heels of Patch Tuesday fixes from Microsoft, Apple, Adobe, and SAP, Intel has dropped its monthly security bundle to address a series of seven CVE-listed vulnerabilities in its firmware and software.

The most serious of the seven is the patch for CVE-2019-11162, a vulnerability in the Intel Compute Improvement Program software. This program is an opt-in diagnostic tool that collects detailed information about the hardware it's running on and less-detailed information about activities like type of sites browsed, applications used and what region of the world the computer is being used in.

According to Intel, one of the drivers in the tool is actually the source of the vulnerability, which while serious is not exploitable over the network, at least. It can be exploited by a bad user or malware already on a system to take control of the box via privilege escalation, or crash it or make it leak information.

"Insufficient access control in hardware abstraction in SEMA driver for Intel Computing Improvement Program before version may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access," Chipzilla says in its summary of the flaw.

Users and admins are advised to update their software to version or later. Credit for the discovery was given to security researcher Jesse Michael.

Another diagnostic tool, the Intel Processor Identification Utility, was the host of CVE-2019-11163, a flaw that would allow a local attacker to leak information, crash the thing, or elevate their privileges.

The updated version is 6.1.0731. Jesse Michael gets credit for finding this bug as well.

Those using Intel's mini-computers or compute stick hardware will want to install the update for CVE-2019-11140, a flaw in the Intel NUC firmware. That vulnerability was blamed on "insufficient session validation" and would allow for elevation of privilege and information disclosure, not the sort of things you want happening to your board's firmware.

The fixed BIOS version is 0066 for NUC boards, 0060 for Compute Stick, and 0037 for Intel Compute Card. Credit goes to researcher Dmitry Frolov.


This summer's hottest sequels: BlueKeep II, III, IV and V – the latest wormable RDP holes in Microsoft Windows


Meanwhile, Intel has gone so far as to flat out cancel RAID Web Console 2, the source of CVE-2019-0173, an authentication bypass flaw accessible via a network connection. Admins will want to update to RAID Web Console 3 version or later. Credit to trotmaster99.

The Intel Authenticate software has been patched for CVE-2019-11143, a local escalation of privilege vulnerability traced back to improper permissions in the software installer. Users and admins will want to update to version 3.8 or later. Credit for the discovery goes to Tunisian security researcher SaifAllah benMassaoud.

Driver and Support Assistant was updated to to patch against CVE-2019-11146, an elevation of privilege bug discovered by Hacker One bug hunter Jakub Palaczynski and CyberArk's researcher Eran Shimony.

The Intel Remote Displays SDK got a patch for CVE-2019-11148, an elevation of privilege bug discovered by flaw finder Marius Gabriel Mihai. Patched versions are 2.0.1 R2 and later. ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021