Intel has announced a quartet of security vulnerabilities in its products, including selected Next Unit of Computing (NUC) motherboards and what it somewhat vaguely describes as 'some microprocessors', with updates available for some and mitigations for others.
Announced late yesterday by the chip maker, Intel's security advisories span four product groups: The Intel Media Software Development Kit (SDK), which receives an advisory rated high severity; the Intel Graphics Performance Analyser for Linux, which is rated as medium severity; 'some microprocessors', rated as low severity; and selected models of Intel Next Unit of Computing (NUC) motherboards, barebones, and pre-built systems, rated again as high severity.
The least critical of these vulnerabilities, by Intel's reckoning, relates once again to the exploitation of a design flaw in selected processors to obtain access to information which should otherwise be out of a user's reach. Considerably less troublesome than Spectre or Meltdown, the company claims, the vulnerability lies in the virtual memory mapping (VMM) capabilities of selected processors and allows an authenticated user on the local system to 'potentially enable information disclosure'. It's most closely related to the Spoiler vulnerability, and requires that developers tweak their software to resist side-channel and timing attacks - meaning Intel has not, and will not, be releasing patches of its own to resolve the vulnerability.
A larger concern, by Intel's own severity ranking, is a flaw in selected models of Broadwell U i5-based NUC systems prior to firmware version MYBDWi5v.86A in which insufficient input validation allows an authenticated user to boost their privilege level, perform a denial of service attack on the system, or disclose supposedly-protected information. For those systems affected, Intel has released an updated firmware which patches the vulnerability.
On the software side, a medium-severity flaw in the Intel Graphics Performance Analyser for Linux allows for privilege escalation due to insufficient path-checking in the installation process - meaning it can't be exploited post-installation, but only while the software is being installed. An updated version, available from Intel's software site, patches the flaw; other operating systems are not affected. Finally, a high-severity issue in the Intel Media SDK allows for escalation of privilege at any time. Discovered internally by Intel's security team, the vulnerability can be patched by upgrading to Intel Media SDK 2018 R2.1 or later via the official download site.
November 20 2019 | 16:00