Intel has been extensively hunting for security vulnerabilities within mainstream hardware components. This month clearly appears to be rather concerning as the chipmaker claims to have discovered more than 70 bugs, flaws and security loopholes within several products and standards. Incidentally, the majority of the bugs were discovered by Intel during “Internal Testing”, while a few were found by third-party partners and agencies.
Intel Security Advisory, a monthly bulletin, is a highly regarded repository that chronicles security updates, bug bounty topics, new security research, and engagement activities within the security research community. This month’s Security Advisory is important simply owing to the large number of security vulnerabilities that Intel claims to have uncovered within regularly used computing and networking products. Needless to add, the bulk of the advisories this month are for issues found internally by Intel. They are a part of the Intel Platform Update (IPU) process. Intel reportedly works with about 300 organizations to prepare and coordinate the release of these updates.
Intel Discloses 77 Security Vulnerabilities But None Have Been Exploited In The Wild Yet:
This month, Intel has reportedly disclosed a total of 77 vulnerabilities that range from processors to graphics and even ethernet controllers. Barring 10 bugs, the rest of the flaws were discovered by Intel during its own internal testing. While most of the security flaws are rather minor, with a limited scope of applicability and impact, a few could have a notable impact on Intel’s products. There have been some concerning discoveries this year about security vulnerabilities within Intel’s products which could not only impact security but also affect the performance and reliability.
Intel has assured that it is in the process of patching or fixing all the 77 security flaws. However, one of the flaws, officially tagged as CVE-2019-0169, has a severity rating of CVSS 9.6. Needless to mention, ratings above 9 are considered ‘Critical’, which is the highest severity. Currently, the dedicated webpage for the bug doesn’t offer any details, which indicates Intel is withholding information to ensure the security vulnerability cannot be adopted and exploited.
Apparently, CVE-2019-0169 appears to be located in the Intel Management Engine or one of its subcomponents, including Intel CSME, which is a standalone chip on Intel CPUs that is used for remote management. If correctly deployed or exploited, the vulnerability could allow an unauthorized person to enable escalation of privileges, scrape information or deploy denial of service attacks through adjacent access. The major limitation of the exploit is that it requires physical access to the network.
Another security vulnerability with an ‘Important’ CVSS rating exists in the subsystem of the Intel AMT. Officially tagged as CVE-2019-11132, the bug could allow a privileged user to enable privilege escalation via network access. Some of the other notable security vulnerabilities with the ‘High Severity’ rating that Intel is addressing include CVE-2019-11105, CVE-2019-11131 CVE-2019-11088, CVE-2019-11104, CVE-2019-11103, CVE-2019-11097, and CVE-2019-0131.
— Softpedia (@Softpedia) November 12, 2019
‘JCC Erratum’ Bug Impacts Most Intel Processors Released Recently:
A security vulnerability, called ‘JCC Erratum’ is rather concerning primarily because of the widespread impact. This bug appears to be existent in most of Intel’s recently released processors, including Coffee Lake, Amber Lake, Cascade Lake, Skylake, Whiskey lake, Comet Lake and Kaby Lake. Incidentally, unlike some previously discovered flaws, this bug can be addressed with firmware updates. Intel claims applying the updates could slightly degrade the performance of the CPUs anywhere between 0 and 4%. Phoronix reportedly tested the negative performance impact after applying the JCC Erratum mitigations and concludes that this update will impact more general PC users than Intel’s previous software mitigations.
Microarchitectural processor vulnerabilities like Spectre and Meltdown were bad, but at least Intel fixed them promptly. Now it seems another deep-seated chip flaw lingered in Intel’s silicon for more than a year after the company was warned about it. https://t.co/VMVeMpLJKg
— Andy Greenberg (@a_greenberg) November 12, 2019
Intel has ensured that there have been no reported or confirmed real-world attacks that were based on the discovered security vulnerabilities. Incidentally, Intel has reportedly made it extremely difficult to find out exactly which CPUs are safe or impacted.