Intel fixes a high severity vulnerability in CSME


Intel patched a high severity bug in the CSME subsystem which allows an attacker to carry out privilege escalation, information disclosure, and denial of service. Intel Converged Security and Management Engine (CSME) is a chipset subsystem that powers Intel’s Active Management technologies. CSME is used for remote out-of-band management in consumer or corporate PCs, Internet of Things (IoT) devices, and workstations.

This bug was discovered internally by Intel’s security team and is tracked as CVE-2019-14598. CVE-2019-14598(INTEL-SA-00307) does not require any user interaction for exploitation and affects the Confidentiality, Integrity, and Availability of a system. But, the attacker needs to be a high privileged user with local access to the system.

Intel has also released medium and low severity advisories for five other vulnerabilities. These vulnerabilities allow an authenticated user to escalate privileges via local access.

  • INTEL-SA-00273 : A vulnerability(CVE-2020-0560) in Intel® Renesas Electronics® USB 3.0 Driver exists due to an improper permissions issue in the installer. Intel has not released any updates to mitigate this vulnerability and has issued a Product Discontinuation notice for this product. Intel recommends that the usage of this driver be discontinued or uninstalled at the earliest.
  • INTEL-SA-00336 : A vulnerability(CVE-2020-0561) in Intel® Software Guard Extensions (SGX) SDK exists due to an improper initialization issue.
  • INTEL-SA-00339 : A vulnerability CVE-2020-0562() in Intel® RAID Web Console 2 (RWC2) exists due to an improper permissions issue.
  • INTEL-SA-00340 : A vulnerability(CVE-2020-0563) in Intel® Manycore Platform Software Stack (MPSS) exists due to an improper permissions issue.
  • INTEL-SA-00341 : A vulnerability(CVE-2020-0564) in Intel® RAID Web Console 3 (RWC3) exists due to an improper permissions in the installer.

Impact

These vulnerabilities could allow an attacker to escalate privileges, disclose sensitive information, or cause denial of service attacks.


Affected Products

  • Intel® CSME versions before 12.0.49 (IOT only: 12.0.56), 13.0.21, 14.0.11
  • All versions of Intel® Renesas Electronics® USB 3.0 Driver
  • Intel® SGX SDK before v2.6.100.1 for Windows, and Intel® SGX SDK before v2.8.100.1 for Linux
  • All versions of Intel® RWC2
  • Intel® MPSS before version 3.8.6.
  • Intel® RWC3 before version 7.010.009.000.

Solution

We recommend installing the Intel security updates as soon as possible to stay protected.


 

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments