You should check for any updates for your Intel-powered hardware, and install them when ready. Though it appears these holes are not exploitable over networks, and require at least some level of local access, we’d hate for an organization or user to find themselves thoroughly compromised by an intruder, rogue user, or malware via these – so, take note.
In addition to patching these high-severity vulnerabilities, Intel also issued an advisory for what it’s called a speculative cross-store bypass, a data-leaking hardware-level security shortcoming it reckons is low in intensity and which affects some of its processors.
This design oversight (CVE-2021-33149) is related to the data-leaking, speculative-execution-based specter and Meltdown families of flaws. Essentially, data in use by software can be unexpectedly leaked to a malicious program running on the same computer. The solution for this is to modify applications and other software so that they cannot be snooped on. Specifically, Intel recommends adding an LFENCE instruction after certain load instructions in vulnerable sections of multi-threaded code.
An Intel spokesperson told The Register it is not aware of any in-the-wild exploitation of the vulnerabilities disclosed this week.
The most severe security issues include local privilege escalation vulnerabilities in Intel’s firmware that impact systems powered by various Xeon, Xeon Scalable, Rocket Lake, Core, and Core X-series processors. Intel has released BIOS updates for all of these.
CVE-2021-0154, which received an 8.2-out-of-10 severity score can be exploited by an already privileged user to further escalate their access rights, and involves improper input validation in the x86 giant’s firmware code. Three other bugs – CVE-2021-0153, CVE-2021-33123 and CVE-2021-0190 – were also ranked as 8.2 high-severity vulns, and could also lead to an escalation of privilege via local access by a privileged user, and are due to out-of-bounds write, improper access control, and uncaught exception in the BIOS firmware, respectively.
Five similar high-severity local privilege escalation (LPE) vulns in the BIOS firmware received CVSS scores between 7.9 and 7.4, and are due to insufficient control flow management (CVE-2021-33122), out-of-range pointer offsets (CVE- 2021-0189), out-of-bounds write flaws (CVE-2021-33124), unintended intermediary (CVE-2021-33103), and improper input validation (CVE-2021-0159).
In addition to the BIOS bugs, three high-severity firmware vulns affect Intel Optane Solid-State Drive (SSD) and Optane SSD Data Center storage products.
CVE-2021-33078, which received a CVSS score of 7.9, is a race-condition bug that Intel noted “may allow a privileged user to potentially enable denial of service via local access.”
The other two ranked 7.3 on the severity meter, in part due to the fact that they need physical access to a system to be exploited. An unauthenticated user could use CVE-2021-33077 to escalate privileges, and CVE-20-33080 could allow an unauthenticated user to disclose sensitive information or escalate privileges.
And finally, Intel issued firmware updates for three LPE security flaws in its NUC computers. All three received 7.5 CVSS scores.
In addition to the high-severity vulnerabilities, Intel reported nine medium-severity flaws in its BIOS and Optane SSD firmware, Extreme Tuning Utility (XTU) software, and Advisor software. ®