Intel just released 29 security advisories addressing 132 various issues in the BIOS firmware of Intel processors. Affected products include Bluetooth products, Active Management Technology tools, the NUC Mini PC machines, and Intel’s own security library.
According to Jerry Bryant, Intel’s senior director of communications, most of the vulnerabilities were discovered internally, through the company’s own diligence. Most of the bugs were revealed via Intel’s bug bounty program and its own research. In comparison, in the past few years, vulnerability disclosure mostly came externally, reported through the bug bounty program from various researchers. This year’s improvement is mostly due to Intel’s Security Development Lifecycle (SDL) program.
56 of the 132 vulnerabilities patched during this month’s Patch Tuesday were discovered in graphics, networking and Bluetooth components. “Through the SDL, we take learnings from discovered vulnerabilities and make improvements to things like automated code scanning and training as well as using this information to inform our internal Red-Team events,” Bryant said in a blog post.
Intel Fixed 29 Severe Vulnerabilities in June 2021 Patch Tuesday
The company addressed 29 vulnerabilities rated as high-severity, related to privilege escalation. The list includes four local privilege escalation in the firmware of Intel’s CPU products, a local privilege escalation in Intel Virtualization Technology for Directed I/O (VT-d), a privilege escalation issue in Intel Security Library which can be exploited over the network, and a privilege escalation issue in NUC. Other severe, privilege escalation bugs were found in Intel’s Driver and Support Assistant (DSA) software and RealSense ID platform, as well as a denial-of-service flaw in specific Thunderbolt controllers.
More information about some of the severe bugs:
CVE-2020-24489: A potential security vulnerability in some Intel® Virtualization Technology for Directed I/0 (VT-d) products may allow escalation of privilege. Intel is releasing firmware updates to mitigate this potential vulnerability.
CVE-2021-24489: A potential security vulnerability in some Intel® Virtualization Technology for Directed I/0 (VT-d) products may allow escalation of privilege. Intel is releasing firmware updates to mitigate this potential vulnerability.
CVE-2020-12357: Potential security vulnerabilities in the BIOS firmware for some Intel® Processors may allow escalation of privilege or denial of service. Intel is releasing firmware updates to mitigate these potential vulnerabilities.
As for the high-severity issue in the Intel Security Library, it’s been described as “key exchange without entity authentication in the Intel(R) Security Library before version 3.3 may allow an authenticated user to potentially enable escalation of privilege via network access.” The vulnerability is known as CVE-2021-0133, and has a CVSS rating of 7.7.
Did you know?
Earlier this year, Intel and Cybereason combined their efforts to add anti-ransomware defenses to the 11th generation of Intel Core vPro business-class processors. The enhancement is hardware-based and is embedded into Intel’s vPro platform through its Hardware Shield and Threat Detection Technology.