Intel issued 29 security alerts to correct some severe bios firmware flaws for Intel processors, as well as in its Bluetooth products, the NUC Mini PC line, and in its own security library. Jerry Bryant, Intel’s senior director of communications, says the company is investigating these issues internally through its own security teams, as well as mentioning that the reports were received through its vulnerability rewards program.
The patch package released by Intel contains a total of 132 updates to address vulnerabilities found during the first six months of 2021, which is equivalent to 70% of the total flaws detected in this period.
Many of the 29 newly detected flaws are considered critical and include local privilege escalation errors, denial of service (DoS) flaws, and other security risks.
The update also includes fixes for a high-severity bug in the Intel Security Library that affects iterations prior to v3.3 and may allow privilege escalations, DoS conditions, or leaks of sensitive information. This flaw exists due to an unauthenticated key exchange that would allow threat actors to access the compromised network.
Finally, Intel also fixed 11 other severe security bugs that affect all kinds of solutions, including Intel NUC, Intel Driver and Support Assistant, Intel RealSense ID, Intel Field Programmable Gate Array (FPGA), and the Open Programmable Acceleration Engine (OPAE) driver for Linux.
On the other hand, researcher Kevin Breen mentions that the main problem for administrators of these affected products is privilege escalation attacks: “These issues reside in the firmware that controls the CPUs, not in the host operating system. This is curious as we are used to automatically applying updates for operating systems and software products, which is sometimes the wrong approach.”
The expert believes that the application of firmware updates is not handled as well as software updates, as these are more difficult to test: “There is an inherent risk in applying firmware updates, so the problem cannot be considered completely mitigated.”
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.