If you've got Intel inside, you probably need to get these security patches inside, too

So. Many. BIOS. Bugs

Intel has disclosed high-severity bugs in its firmware that's used in datacenter servers, workstations, mobile devices, storage products, and other gear. These flaws can be exploited to escalate privileges, leak information, or stop things from working.

You should check for any updates for your Intel-powered hardware, and install them when ready. Though it appears these holes are not exploitable over networks, and require at least some level of local access, we'd hate for an organization or user to find themselves thoroughly compromised by an intruder, rogue user, or malware via these – so, take note.

In addition to patching these high-severity vulnerabilities, Intel also issued an advisory for what it's called a speculative cross-store bypass, a data-leaking hardware-level security shortcoming it reckons is low in severity and which affects some of its processors. 

This design oversight (CVE-2021-33149) is related to the data-leaking, speculative-execution-based Spectre and Meltdown families of flaws. Essentially, data in use by software can be unexpectedly leaked to a malicious program running on the same computer. The solution for this is to modify applications and other software so that they cannot be snooped on. Specifically, Intel recommends adding an LFENCE instruction after certain load instructions in vulnerable sections of multi-threaded code.

An Intel spokesperson told The Register it is not aware of any in-the-wild exploitation of the vulnerabilities disclosed this week.

The most severe security issues include local privilege escalation vulnerabilities in Intel's firmware that impact systems powered by various Xeon, Xeon Scalable, Rocket Lake, Core, and Core X-series processors. Intel has released BIOS updates for all of these.

CVE-2021-0154, which received an 8.2-out-of-10 severity score can be exploited by an already privileged user to further escalate their access rights, and involves improper input validation in the x86 giant's firmware code. Three other bugs – CVE-2021-0153, CVE-2021-33123 and CVE-2021-0190 – were also ranked as 8.2 high-severity vulns, and could also lead to escalation of privilege via local access by a privileged user, and are due to out-of-bounds write, improper access control, and uncaught exception in the BIOS firmware, respectively.

Five similar high-severity local privilege escalation (LPE) vulns in the BIOS firmware received CVSS scores between 7.9 and 7.4, and are due to insufficient control flow management (CVE-2021-33122), out-of-range pointer offsets (CVE-2021-0189), out-of-bounds write flaws (CVE-2021-33124), unintended intermediary (CVE-2021-33103) and improper input validation (CVE-2021-0159).

In addition to the BIOS bugs, three high-severity firmware vulns affect Intel Optane Solid-State Drive (SSD) and Optane SSD Data Center storage products.

CVE-2021-33078, which received a CVSS score of 7.9, is a race-condition bug that Intel noted "may allow a privileged user to potentially enable denial of service via local access."

The other two ranked 7.3 on the severity meter, in part due to the fact they need physical access to a system to be exploited. An unauthenticated user could use CVE-2021-33077 to escalate privileges, and CVE-2021-33080 could allow an unauthenticated user to disclose sensitive information or escalate privileges.

And finally, Intel issued firmware updates for three LPE security flaws in its NUC computers. All three received 7.5 CVSS scores.

In addition to the high-severity vulnerabilities, Intel reported nine medium-severity flaws in its BIOS and Optane SSD firmware, Extreme Tuning Utility (XTU) software, and Advisor software. ®

Broader topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022