A critical security bug in the Intel Converged Security and Manageability Engine (CSME) could allow escalation of privilege, denial of service or information disclosure.
The details are included in a bug advisory that in total covers 77 vulnerabilities, 67 of which were found by internal Intel staff. The silicon giant has rolled out firmware updates and software patches to address these, which range in severity from the one critical flaw to a low-severity local privilege-escalation issue.
The affected products are: Intel CSME, Intel Server Platform Services (SPS), Intel Trusted Execution Engine (TXE), Intel Active Management Technology (AMT), Intel Platform Trust Technology (PTT) and Intel Dynamic Application Loader (DAL).
The critical flaw is a heap overflow bug with a score of 9.6 out of 10 on the CVSS v.3 severity scale (CVE-2019-0169). It exists in the subsystem in the Intel CSME, which is a standalone chip on Intel CPUs that is used for remote management. The vulnerability and could allow an unauthenticated user to enable escalation of privileges, information disclosure or denial of service via adjacent access.
“Adjacent access” means that an attack must be launched from the same shared physical network or local IP subnet, or from within the same secure VPN or administrative network zone.
As for the other bugs, there’s also a cross-site scripting (XSS) flaw rated as important (CVE-2019-11132). It exists in the subsystem of the Intel AMT and could allow a privileged user to enable privilege escalation via network access.
Intel also fixed a slew of high-severity problems, including an insufficient access control issue (CVE-2019-11147) that could allow local privilege escalation by an authenticated user. It exists in the hardware abstraction driver for the MEInfo software for Intel CSME, TXEInfo software, and the INTEL-SA-00086 and INTEL-SA-00125 Detection Tools.
Other high-severity bugs allow privilege escalation, including logic issues (CVE-2019-11105, CVE-2019-11131) in the subsystems for Intel CSME and Intel AMT; insufficient input validations (CVE-2019-11088, CVE-2019-11104) in the subsystem in Intel AMT, Intel TXE and the MEInfo software for Intel CSME; insufficient input validation for the firmware update software for Intel CSME (CVE-2019-11103); and improper directory permissions (CVE-2019-11097) in the installer for Intel Management Engine Consumer Driver for Windows and Intel TXE.
Rounding out the high-severity bugs is an insufficient input validation (CVE-2019-0131) in the subsystem in Intel AMT that could allow an unauthenticated user to carry out denial of service or information disclosure via adjacent access.
Intel issued the update as part of its monthly security-fix cadence; it credited Daniel Moghimi and Berk Sunar from Worcester Polytechnic Institute, Thomas Eisenbarth from University of Lubeck, Nadia Heninger from University of California at San Diego, and Leon Nilges from n0xius and Jesse Michael from Eclypsium for uncovering 10 of the bugs.
What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.