Intel has released its June security updates, which address two critical vulnerabilities that, if exploited, can give unauthenticated attackers elevated privileges.
The critical flaws exist in Intel’s Active Management Technology (AMT), which is used for remote out-of-band management of personal computers.
The two critical flaws (CVE-2020-0594 and CVE-2020-0595) exist in the IPv6 subsystem of AMT (and Intel’s Standard Manageability solution, which has a similar function as AMT). The flaws could potentially enable an unauthenticated user to gain elevated privileges via network access. AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 are affected.
CVE-2020-0594 is an out-of-bounds read flaw while CVE-2020-0595 is a use-after-free vulnerability. Both flaws ranks 9.8 out of 10.0 on the CVSS scale, making them critical.
A high-severity privilege escalation flaw, existing in the Intel Innovation Engine, was also patched. Innovation Engine is an embedded core in the Peripheral Controller Hub (PCH), that is a dedicated subsystem that system vendors can use to customize their firmware.
The flaw (CVE-2020-8675) stems from insufficient control flow management in the Innovation Engine’s firmware build and signing tool, before version 1.0.859, may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
A flaw was also fixed in Intel’s Solid State Drive (SSD) products, which allow information disclosure. The flaw (CVE-2020-0527) stems from insufficient control flow management in firmware for some Intel Data Center SSDs (a list of affected products can be found here).
The flaw “may allow a privileged user to potentially enable information disclosure via local access,” according to Intel.
Intel also fixed flaws in the BIOS firmware for some Intel Processors, which may enable escalation of privilege or denial of service (DoS). That includes a high-severity flaw (CVE-2020-0528) stemming from Improper buffer restrictions in the BIOS firmware for 7th, 8th, 9th and 10th Generation Intel Core processor families. In order to exploit this flaw, an attacker would need to be authenticated (for privilege escalation) and have local access (for DoS).
“Intel recommends that users update to the latest firmware version provided by the system manufacturer that addresses this issue,” according to the chip giant’s advisory.
Intel also fixed an array of high-severity flaws (including CVE-2020-0586, CVE-2020-0542, CVE-2020-0596,CVE-2020-0538, CVE-2020-0534, CVE-2020-0533, CVE-2020-0566 and CVE-2020-0532)across its Converged Security and Manageability Engine (CSME), Server Platform Services (SPS), Trusted Execution Engine (TXE) and Dynamic Application Loader (DAL) products.
CrossTalk Flaw
One medium-severity flaw disclosed Tuesday by Intel (CVE-2020-0543) was called “CrossTalk” by security researchers who revealed technical details of the vulnerability. The flaw is related to a new class of flaws uncovered in 2019, called Microarchitectural Data Sampling (MDS), which utilize side channel attacks to siphon data from impacted systems. The flaw could enable an attacker with local access to run code that can obtain data from an app running on a different CPU core (different than the CPU code that’s running the attacker’s code).
“Until now, all the attacks assumed that attacker and victim were sharing the same core, so that placing mutually untrusting code on different cores would thwart such attacks,” researchers said in a Tuesday post. “Instead, we present a new transient execution vulnerability, which Intel refers to as “Special Register Buffer Data Sampling” or SRBDS (CVE-2020-0543), enabling attacker-controlled code executing on one CPU core to leak sensitive data from victim software executing on a different core.”
The flaw scores 6.5 out of 10.0 on the CVSS scale, making it medium-severity. It comes with caveats – an attacker could need to be authenticated and have local access to the user’s device. However, CrossTalk does impact over 50 Intel mobile, desktop, server and workstation processors (a list of which can be found here).
Intel implemented a mitigation for CrossTalk in a microcode update distributed to software vendors, which locks the entire memory bus before updating the staging buffer and only unlocks it after clearing its content –ensuring no information is exposed to off-core requests issued from other CPU cores.
Overall, in its June security update Intel fixed flaws tied to 22 CVEs. Of note, Intel did not release any fixes for flaws in May. In April, Intel patched high-severity flaws in its Next Unit Computing (NUC) mini PC firmware, and in its Modular Server MFS2600KISPP Compute Module.
Alyssa Milburn, Hany Ragab, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU Amsterdam were credited with reporting the flaw.