This article is more than 1 year old
Intel's latest patch set plugs some serious holes in CPU, Bluetooth, server, and – ironically – security lines
Reports through Chipzilla's bug bounty scheme growing, but still in the minority
Intel has pushed out a raft of security advisories for June, bringing its total discovered "potential vulnerabilities" for the year to date to 132, only a quarter of which were reported by external contributors and the company's bug bounty programme.
"Today we released 29 security advisories addressing 73 vulnerabilities," Intel's Jerry Bryant said of the company's latest updates. "40 of those, or 55 per cent, were found internally through our own proactive security research. Of the remaining 33 CVEs being addressed, 29, or 40 per cent, were reported through our bug bounty programme."
While the bug bounty programme may have accounted for a minority of this month's vulnerabilities, in the context of 2021 so far, that's more than usual. For the 132 "potential vulnerabilities" patched, a whopping 75 per cent were discovered by Chipzilla's internal security team – and 70 per cent patched out before public disclosure.
This month's patch set includes fixes for a range of issues, several of them rated as high severity – including four local privilege escalation vulnerabilities in firmware for its CPU products; another local privilege escalation vulnerability in Intel Virtualization Technology for Directed I/O (VT-d); a somewhat ironic network-exploitable privilege escalation vulnerability in the Intel Security Library; yet another locally exploitable privilege escalation in the NUC family of computers; still more in its Driver and Support Assistant (DSA) software and RealSense ID platform; and a denial-of-service (DoS) vulnerability in selected Thunderbolt controllers. Phew.
- Extra urgency in June's Patch Tuesday: Microsoft warns six more bugs are being exploited
- When the chips are down, Intel's biggest gamble isn't what to do – it's whom to do it with
- Intel finds a couple more 11th-gen Core chips, one hits 5.0GHz in laptops
- Intel throws sand in the face of 'musclebooks' with 10nm Tiger Lake tech
Intel's advisories also include a patch for a medium-severity vulnerability in BlueZ, a Bluetooth software stack for Linux, which can allow for man-in-the-middle attacks against supposedly secure Bluetooth and Bluetooth Low Energy (BLE) connections. Another medium-rated vulnerability affecting Intel's processors allows for locally exploitable information disclosure through "observable response discrepancy in floating-point operations."
System administrators with Intel Server Board M10JNP2SB systems in use, following their release in late 2019, are advised to patch a series of high-severity vulnerabilities in the system's baseboard management controller (BMC) which allow for privilege escalation and denial-of-service attacks.
"Overall," Bryant concluded, "95 per cent of the issues being addressed today are the result of our ongoing investments in security assurance, which is consistent with our 2020 Product Security Report."
"Bug bounty programmes are rising in popularity as they offer both organisation and bounty hunter a benefit to finding a vulnerability," opined ESET UK cybersecurity expert Jake Moore on Intel's announcement. "Suggesting 40 per cent were found through its own programme, however, suggests that it's both productive as well as nodding to the possibility of having more severe vulnerabilities than they would ideally like. It is vital for any users with affected products to update to the latest firmware as soon as possible."
The full list of patches, and links to their CVE entries, is available on the Intel Security Centre. ®