Intel patched a high severity bug in the CSME subsystem which allows an attacker to carry out privilege escalation, information disclosure, and denial of service. Intel Converged Security and Management Engine (CSME) is a chipset subsystem that powers Intel’s Active Management technologies. CSME is used for remote out-of-band management in consumer or corporate PCs, Internet of Things (IoT) devices, and workstations.
This bug was discovered internally by Intel’s security team and is tracked as CVE-2019-14598. CVE-2019-14598(INTEL-SA-00307) does not require any user interaction for exploitation and affects the Confidentiality, Integrity, and Availability of a system. But, the attacker needs to be a high privileged user with local access to the system.
Intel has also released medium and low severity advisories for five other vulnerabilities. These vulnerabilities allow an authenticated user to escalate privileges via local access.
- INTEL-SA-00273 : A vulnerability(CVE-2020-0560) in Intel® Renesas Electronics® USB 3.0 Driver exists due to an improper permissions issue in the installer. Intel has not released any updates to mitigate this vulnerability and has issued a Product Discontinuation notice for this product. Intel recommends that the usage of this driver be discontinued or uninstalled at the earliest.
- INTEL-SA-00336 : A vulnerability(CVE-2020-0561) in Intel® Software Guard Extensions (SGX) SDK exists due to an improper initialization issue.
- INTEL-SA-00339 : A vulnerability CVE-2020-0562() in Intel® RAID Web Console 2 (RWC2) exists due to an improper permissions issue.
- INTEL-SA-00340 : A vulnerability(CVE-2020-0563) in Intel® Manycore Platform Software Stack (MPSS) exists due to an improper permissions issue.
- INTEL-SA-00341 : A vulnerability(CVE-2020-0564) in Intel® RAID Web Console 3 (RWC3) exists due to an improper permissions in the installer.
These vulnerabilities could allow an attacker to escalate privileges, disclose sensitive information, or cause denial of service attacks.
- Intel® CSME versions before 12.0.49 (IOT only: 12.0.56), 13.0.21, 14.0.11
- All versions of Intel® Renesas Electronics® USB 3.0 Driver
- Intel® SGX SDK before v126.96.36.199 for Windows, and Intel® SGX SDK before v188.8.131.52 for Linux
- All versions of Intel® RWC2
- Intel® MPSS before version 3.8.6.
- Intel® RWC3 before version 7.010.009.000.
We recommend installing the Intel security updates as soon as possible to stay protected.