Intel Patches High-Severity Flaw in Security Engine

The high-severity vulnerability could enable denial of service, privilege escalation and information disclosure.

Intel is warning of a high-severity flaw in the firmware of its converged security and management engine (CSME), which if exploited could allow privilege escalation, denial of service and information disclosure.

CSME powers Intel’s Active Management System hardware and firmware technology, used for remote out-of-band management in consumer or corporate PCs, Internet of Things (IoT) devices, and workstations.

The subsystem of CSME has an improper authentication bug (CVE-2019-14598), which has a CVSS score of 8.2 out of 10.0, making it high severity. A privileged user, with local access, could exploit the flaw to launch an array of attacks, according to Intel.

“Intel recommends updating to Intel CSME versions 12.0.49, 13.0.21, and 14.0.11 or later provided by the system manufacturer that addresses these issues,” according to Intel’s advisory. “Intel recommends IOT customers using Intel CSME version 12.0.55 to update to 12.0.56 or later provided by the system manufacturer that addresses these issues.”

It’s not the first serious flaw found in CSME. In November, a critical flaw in CSME was patched that could allow escalation of privilege, denial of service or information disclosure. Another critical flaw discovered in May could  allow an authenticated user to enable escalation of privilege over network access in CSME.

Overall, Intel patched six flaws on Tuesday, including the high-severity flaw in CSME. The remainder of the vulnerabilities were medium and low-severity.

A medium-severity flaw was found in Intel Renesas Electronics USB 3 driver, the driver for the USB 3 Renesas Electronics adapter that comes in many common Intel motherboards. The flaw allows privilege escalation (CVE-2020-0560) and stems from improper permissions in the installer. Intel said that rather than releasing updates, it has issued a product discontinuation notice for the driver. All versions of the driver are affected.

“Intel has issued a Product Discontinuation notice for Intel Renesas Electronics USB 3.0 Driver and recommends that users of the Intel Renesas Electronics USB 3.0 Driver uninstall it or discontinue use at their earliest convenience,” Intel said.

Two medium-severity flaws exist in versions of the Intel RAID Web Console, which allows users to configure the Intel RAID custom storage controllers and disk drives installed on a system. One medium-severity privilege escalation flaw exists in Intel RAID Web Console 3 for Windows (CVE-2020-0564), which stems from improper permissions in the installer. The other exists in Intel RAID Web Console 2, also stemming from improper permissions in the installer (CVE-2020-0562). Intel also patched a medium-severity flaw in Intel Manycore Platform Software Stack, a series of Intel software components necessary to run the Intel Xeon Phi Coprocessor. The flaw (CVE-2020-0563) that allows privilege escalation and stems from improper permissions in the installer.

Finally, a low-severity flaw was discovered and patched in the Intel Software Guard Extension (SGX) SDK, which if exploited could enable privilege escalation.

It’s only the latest Intel security updates. In January, Intel warned of a high-severity vulnerability in its performance analysis tool called Intel VTune Profiler. If exploited the flaw allows an adversary to perform a privilege escalation attack, giving them elevated and unauthorized system access to a targeted system. Also in January, Intel disclosed a new speculative execution type attack, dubbed CacheOut, that could allow attackers to trigger data leaks from most Intel CPUs.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

Suggested articles