If you've got Intel inside, you probably need to get these security patches inside, too
So. Many. BIOS. Bugs
Intel has disclosed high-severity bugs in its firmware that's used in datacenter servers, workstations, mobile devices, storage products, and other gear. These flaws can be exploited to escalate privileges, leak information, or stop things from working.
You should check for any updates for your Intel-powered hardware, and install them when ready. Though it appears these holes are not exploitable over networks, and require at least some level of local access, we'd hate for an organization or user to find themselves thoroughly compromised by an intruder, rogue user, or malware via these – so, take note.
In addition to patching these high-severity vulnerabilities, Intel also issued an advisory for what it's called a speculative cross-store bypass, a data-leaking hardware-level security shortcoming it reckons is low in severity and which affects some of its processors.
This design oversight (CVE-2021-33149) is related to the data-leaking, speculative-execution-based Spectre and Meltdown families of flaws. Essentially, data in use by software can be unexpectedly leaked to a malicious program running on the same computer. The solution for this is to modify applications and other software so that they cannot be snooped on. Specifically, Intel recommends adding an LFENCE instruction after certain load instructions in vulnerable sections of multi-threaded code.
An Intel spokesperson told The Register it is not aware of any in-the-wild exploitation of the vulnerabilities disclosed this week.
The most severe security issues include local privilege escalation vulnerabilities in Intel's firmware that impact systems powered by various Xeon, Xeon Scalable, Rocket Lake, Core, and Core X-series processors. Intel has released BIOS updates for all of these.
CVE-2021-0154, which received an 8.2-out-of-10 severity score can be exploited by an already privileged user to further escalate their access rights, and involves improper input validation in the x86 giant's firmware code. Three other bugs – CVE-2021-0153, CVE-2021-33123 and CVE-2021-0190 – were also ranked as 8.2 high-severity vulns, and could also lead to escalation of privilege via local access by a privileged user, and are due to out-of-bounds write, improper access control, and uncaught exception in the BIOS firmware, respectively.
- Another data-leaking Spectre bug found, smashes Intel, Arm defenses
- Microsoft closes Windows LSA hole under active attack
- Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign
- How Intel and AMD hope to win the cloud security game
Five similar high-severity local privilege escalation (LPE) vulns in the BIOS firmware received CVSS scores between 7.9 and 7.4, and are due to insufficient control flow management (CVE-2021-33122), out-of-range pointer offsets (CVE-2021-0189), out-of-bounds write flaws (CVE-2021-33124), unintended intermediary (CVE-2021-33103) and improper input validation (CVE-2021-0159).
In addition to the BIOS bugs, three high-severity firmware vulns affect Intel Optane Solid-State Drive (SSD) and Optane SSD Data Center storage products.
CVE-2021-33078, which received a CVSS score of 7.9, is a race-condition bug that Intel noted "may allow a privileged user to potentially enable denial of service via local access."
The other two ranked 7.3 on the severity meter, in part due to the fact they need physical access to a system to be exploited. An unauthenticated user could use CVE-2021-33077 to escalate privileges, and CVE-2021-33080 could allow an unauthenticated user to disclose sensitive information or escalate privileges.
And finally, Intel issued firmware updates for three LPE security flaws in its NUC computers. All three received 7.5 CVSS scores.
- Advanced persistent threat
- Alder Lake
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Pat Gelsinger
- Remote Access Trojan
- Trusted Platform Module
- Zero Day Initiative
- Zero trust