Intel has released 29 security advisories to plug up some serious bugs in the BIOS firmware for Intel processors, as well as in its Bluetooth products, Active Management Technology tools, the NUC Mini PC line, &, ironically, in its own security library.
The higher-rated advisories focus on privilege-escalation bugs in CPU firmware: Tough to patch, hard to exploit, tempting to an attacker.
Intel has unleashed 29 security advisories to plug up some serious bugs in the BIOS firmware for Intel processors, as well as in its Bluetooth products, Active Management Technology tools, the NUC Mini PC line, &, ironically, in its own security library.
Details about the advisories can be found at Intel’s Product Security Centre.
Intel’s senior director of communications, Jerry Bryant, said in a blog post on Wed. that Intel’s mostly digging these security issues up internally – as in, 95% – through its own diligence, with big chunks of them coming through its bugs bounty program & the company’s own research.
“Today we released 29 security advisories addressing 73 vulnerabilities,” Bryant wrote. “40 of those, or 55%, were found internally through our own proactive security research.
Of the remaining 33 CVEs being addressed, 29, or 40%, were reported through our bug-bounty program. Overall, 95% of the issues being addressed today are the result of our ongoing investments in security assurance, which is consistent with our 2020 Product Security Report.”
The June patch set from Intel brings its vulnerabilities total to 132 for the 1st 6 months of 2021, with 70% of those having been discovered & mitigated before they were publicly disclosed, Bryant said.
Quiet, non-public discovery & mitigation is a nice development for Intel, Bryant commented. He noted that 56 of the 132 issues addressed on Tues. were found in graphics, networking & Bluetooth components.
While issues in those products were mostly found internally by Intel security researchers & product engineers – at 75% – that was not necessarily the case in its 2019 & 2020 product security reports. In those past few years, a large percentage of issues in these products were found externally & reported through the company’s bug-bounty program.
Bryant credited Intel’s Security Development Lifecycle (SDL) program for this turnaround. “Through the SDL, we take learnings from discovered vulnerabilities & make improvements to things like automated code scanning & training as well as using this information to inform our internal Red-Team events,” he described.
Several of the 29 vulnerabilities are rated as high-severity –
including 4 local privilege escalation vulnerabilities in firmware for Intel’s CPU products; another local privilege escalation vulnerability in Intel Virtualisation Technology for Directed I/O (VT-d); a network-exploitable privilege escalation vulnerability in the Intel Security Library; another locally exploitable privilege escalation in the NUC family of computers; yet more in its Driver and Support Assistant (DSA) software & RealSense ID platform; & a denial-of-service (DoS) vulnerability in selected Thunderbolt controllers.
Here are more details on those high-severity bugs:
- CVE-2021-24489 Some Intel Virtualisation Technology for Directed I/0 (VT-d) products may allow escalation of privilege. The issue is caused by incomplete clean-up in some Intel VT-d products that could enable authenticated attackers to escalate privileges via local access. Rating: High / CVSS 8.8
The following 4 bugs are caused by improper initialisation, race condition, improper input validation & insufficient control flow management in the CPU BIOS firmware, allowing escalation of privilege via local or physical access:
- CVE-2020-12357 Rating: High / CVSS 7.5
- CVE-2020-8670 Rating: High / CVSS 7.5
CVE-2020-8700 Rating: High / CVSS 7.5
CVE-2020-12359 Rating: High / CVSS 7.5
Intel also patched a high-severity bug in Intel Security Library that affects iterations before version 3.3 & may allow escalation of privilege, denial of service or information disclosure. It is caused by a key exchange without entity authentication that enables authenticated attackers to escalate privilege via network access. CVE-2021-0133 was issued a CVSS rating of 7.7.
Intel also patched 11 other high-severity security that affect Intel NUCs, Intel Driver & Support Assistant (DSA), Intel RealSense ID, Intel Field Programmable Gate Array (FPGA) Open Programmable Acceleration Engine (OPAE) driver for Linux, & Intel Thunderbolt controllers.
Immersive Labs’ Kevin Breen, Director of Cyber Threat Research, noted that the theme for Intel’s June patch set seems to be privilege escalation. “The higher-rated vulnerabilities in this release seem to focus around resolving privilege escalation vulnerabilities,” he observed Wed.
“Interestingly, it’s in the firmware that controls the CPUs, not in the host operating system,” he continued. “We’re used to automatically applying updates for operating systems & software products & even then we still occasionally see updates that result in the dreaded blue screen of death.”
Applying firmware updates is not as well-managed as software updates, he noted, likely because they are tougher to test … which means they pack more inherent risk. “As these have a lower level of interaction with your hardware, there’s no easy way to test them before deploying across your network,” Breen observed. “This means there is more inherent risk with these kinds of patches & updates.”
While hardware exploitation is “a lot harder for attackers to weaponize,” Breen stated, attackers know that firmware is not updated as frequently as operating systems. That makes firmware exploits a tempting target for threat groups with the technical savvy to create exploits, he predicted: “Creating these exploits would be high on their list for development.”
Adding Extra Monitoring
The regular “patch fast” advice applies, Breen suggested “As always, understand your risk & apply patches in the shortest time possible,” he explained. “If you have to delay patching to accommodate more testing, consider adding extra monitoring around the services & hosts that would be vulnerable to shorten response times.”
Dirk Schrader, Global VP of Security Research at New Net Technologies, agreed that focusing on privilege escalation is the key to Intel’s June 2021 security advisories release. He explained on Wed. that these newly patched flaws might not be the most critical vulnerabilities an attacker would want to exploit, but “they are certainly of use in an attack script.”
Schrader pointed out that “any attack uses a couple of vulnerabilities, & those allowing for privilege escalation are sought after in the later stages of an attack after initial exploits or phishes have opened a door.”
He suggested that restricting user privileges is a central element of any security guideline, be it NIST, CIS, or any sector-specific one. “Having exploits in their arsenal to escape from these restrictions is vital to attackers, & companies are well-advised to follow up on the security advisories released by Intel today,” Schrader advised.
“Any company should make it hard for attackers, as hard as possible all along the way into the infrastructure, & not just build up a hard to crack perimeter (btw: there is no such thing as a hard to crack perimeter). Respect the cyber kill chain, follow through on those other controls in the guidelines, patch & control any change to your infrastructure.”