Intel has issued 29 security advisories addressing critical bugs in the firmware of the Intel chip BIOS, Bluetooth products, Active Management Technology tools, the NUC mini line PC, and, oddly enough, its own security library, says Threat Post.
The higher rated warnings focus on CPU privilege escalation firmware bugs: both patching and exploiting are difficult, making it attractive to a clever attacker.
Jerry Bryant, Intel’s senior director of communications, said in a blog post Wednesday that the company digs up largely 95% of security issues internally, with some portions coming from its bug bounty program and internal research.
Although the bug bounty program has only accounted for a small portion of this month’s security vulnerabilities, that’s more than normal for 2021 so far. Chipzilla’s internal security team discovered 75% of the 132 potential vulnerabilities addressed, with 70% of those fixed before public disclosure.
Somewhat ironic vulnerability found in Intel Security Library
This month’s patch set contains fixes for a variety of issues, several of which are rated as high severity-including 4 local privilege escalation vulnerabilities in the product’s firmware CPU; another local privilege escalation vulnerability in Intel Virtualization Technology for Directed I/O (VT-d); and a network-exploitable privilege escalation vulnerability in Intel Security Library.
A patch for a medium-severity vulnerability in BlueZ, a Bluetooth software stack that allows man-in-the-middle attacks on supposedly secure Bluetooth and Bluetooth Low Energy (BLE) connections, is also included in Intel’s advisory. Another medium severity vulnerability affecting Intel CPUs allows a locally exploitable information leak via an observable floating point response difference.
System administrators should patch a set of high-threat vulnerabilities in the system’s Baseboard Management Controller (BMC) that allow privilege escalation and denial-of-service attacks in Intel Server Board M10JNP2SB systems released in late 2019.
Cybersecurity expert Jake Moore at ESET UK opined on Intel’s announcement that “Bug bounty programmes are rising in popularity as they offer both organisation and bounty hunter a benefit to finding a vulnerability”.
“Suggesting 40 per cent were found through its own programme, however, suggests that it’s both productive as well as nodding to the possibility of having more severe vulnerabilities than they would ideally like. It is vital for any users with affected products to update to the latest firmware as soon as possible”.