Intel has unleashed 29 security advisories to plug up some serious bugs in the BIOS firmware for Intel processors, as well as in its Bluetooth products, Active Management Technology tools, the NUC Mini PC line, and, ironically, in its own security library.
Details about the advisories can be found at Intel’s Product Security Center.
Intel’s senior director of communications, Jerry Bryant, said in a blog post on Wednesday that Intel’s mostly digging these security issues up internally – as in, 95 percent – through its own diligence, with big chunks of them coming through its bugs bounty program and the company’s own research.
“Today we released 29 security advisories addressing 73 vulnerabilities,” Bryant wrote. “Forty of those, or 55 percent, were found internally through our own proactive security research. Of the remaining 33 CVEs being addressed, 29, or 40 percent, were reported through our bug-bounty program. Overall, 95 percent of the issues being addressed today are the result of our ongoing investments in security assurance, which is consistent with our 2020 Product Security Report.”
Pats Itself on the Back
The June patch set from Intel brings its vulnerabilities total to 132 for the first six months of 2021, with 70 percent of those having been discovered and mitigated before they were publicly disclosed, Bryant said.
Quiet, nonpublic discovery and mitigation is a nice turnaround for Intel, Bryant said. He noted that 56 of the 132 issues addressed on Tuesday were found in graphics, networking and Bluetooth components. While issues in those products were mostly found internally by Intel security researchers and product engineers – at 75 percent – that wasn’t necessarily the case in its 2019 and 2020 product security reports. In those past few years, a large percentage of issues in these products were found externally and reported through the company’s bug-bounty program.
Bryant credited Intel’s Security Development Lifecycle (SDL) program for this turnaround. “Through the SDL, we take learnings from discovered vulnerabilities and make improvements to things like automated code scanning and training as well as using this information to inform our internal Red-Team events,” he described.
The Bad Bugs
Several of the 29 vulnerabilities are rated as high-severity – including four local privilege escalation vulnerabilities in firmware for Intel’s CPU products; another local privilege escalation vulnerability in Intel Virtualization Technology for Directed I/O (VT-d); a network-exploitable privilege escalation vulnerability in the Intel Security Library; another locally exploitable privilege escalation in the NUC family of computers; yet more in its Driver and Support Assistant (DSA) software and RealSense ID platform; and a denial-of-service (DoS) vulnerability in selected Thunderbolt controllers.
Here are more details on those high-severity bugs:
- CVE-2021-24489 Some Intel Virtualization Technology for Directed I/0 (VT-d) products may allow escalation of privilege. The issue is caused by incomplete cleanup in some Intel VT-d products that could enable authenticated attackers to escalate privileges via local access. Rating: High / CVSS 8.8
The following four bugs are caused by improper initialization, race condition, improper input validation and insufficient control flow management in the CPU BIOS firmware, allowing escalation of privilege via local or physical access:
- CVE-2020-12357 Rating: High / CVSS 7.5
- CVE-2020-8670 Rating: High / CVSS 7.5
CVE-2020-8700 Rating: High / CVSS 7.5
CVE-2020-12359 Rating: High / CVSS 7.5
The Bad Security Library Bug
Intel also patched a high-severity bug in Intel Security Library that affects iterations before version 3.3 and may allow escalation of privilege, denial of service or information disclosure. It’s caused by a key exchange without entity authentication that enables authenticated attackers to escalate privilege via network access. CVE-2021-0133 was issued a CVSS rating of 7.7.
Intel also patched 11 other high-severity security that affect Intel NUCs, Intel Driver and Support Assistant (DSA), Intel RealSense ID, Intel Field Programmable Gate Array (FPGA) Open Programmable Acceleration Engine (OPAE) driver for Linux, and Intel Thunderbolt controllers.
Focus on Privilege Escalation
Immersive Labs’ Kevin Breen, director of cyber threat research, noted that the theme for Intel’s June patch set seems to be privilege escalation. “The higher-rated vulnerabilities in this release seem to focus around resolving privilege escalation vulnerabilities,” he observed to Threatpost via email on Wednesday.
“Interestingly, it’s in the firmware that controls the CPUs, not in the host operating system,” he continued. “We’re used to automatically applying updates for operating systems and software products – and even then we still occasionally see updates that result in the dreaded blue screen of death.”
Applying firmware updates is not as well-managed as software updates, he noted, likely because they’re tougher to test … which means they pack more inherent risk. “As these have a lower level of interaction with your hardware, there’s no easy way to test them before deploying across your network,” Breen said. “This means there is more inherent risk with these kinds of patches and updates.”
While hardware exploitation is “a lot harder for attackers to weaponize,” Breen said, attackers know that firmware isn’t updated as frequently as operating systems. That makes firmware exploits a tempting target for threat groups with the technical savvy to create exploits, he predicted: “Creating these exploits would be high on their list for development.”
The regular “patch fast” advice applies, Breen said: “As always, understand your risk and apply patches in the shortest time possible,” he said. “If you have to delay patching to accommodate more testing, consider adding extra monitoring around the services and hosts that would be vulnerable to shorten response times.”
Dirk Schrader, global vice president of security research at New Net Technologies, agreed that focusing on privilege escalation is the key to Intel’s June 2021 security advisories release. He told Threatpost on Wednesday that these newly patched flaws might not be the most critical vulnerabilities an attacker would want to exploit, but “they are certainly of use in an attack script.”
Via email, Schrader pointed out that “any attack uses a couple of vulnerabilities, and those allowing for privilege escalation are sought after in the later stages of an attack after initial exploits or phishes have opened a door.”
He suggested that restricting user privileges is a central element of any security guideline, be it NIST, CIS, or any sector-specific one. “Having exploits in their arsenal to escape from these restrictions is vital to attackers, and companies are well-advised to follow up on the security advisories released by Intel today,” Schrader advised. “Any company should make it hard for attackers, as hard as possible all along the way into the infrastructure, and not just build up a hard to crack perimeter (btw: there is no such thing as a hard to crack perimeter). Respect the cyber kill chain, follow through on those other controls in the guidelines, patch and control any change to your infrastructure.”
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!