Intel released the August patch set, including removing a vulnerability in several NUC Kit models that could be used to elevate privileges, DoS attacks, or disclose information.
What is worse, the problem affected not only the NUC Kit, but also the Compute Card and Compute Stick, all working with the same BIOS. Thus, the vulnerability is a danger to the following models:- Intel NUC Kit NUC7i7DNx;
- Intel NUC Kit NUC7i5DNx;
- Intel NUC Kit NUC7i3DNx;
- Intel Compute Stick STK2MV64CC;
- Intel Compute Card CD1IV128MK.
The vulnerability was assigned the number CVE-2019-11140, and it is rated at 7.5 points out of 10 on the CVSS scale. Fortunately, exploitation of the problem is possible only if the attacker has local privileged access in the system.
Read also: Researchers discover dangerous DoS vulnerabilities in HTTP / 2 implementation
Another major issue was fixed with Processor Identification for Windows (a free tool that allows users to get detailed information about their Intel processor).
The bug received the identifier CVE-2019-11163 and a severity level of 8.2 points out of 10 possible. This vulnerability allowed increasing privileges, carrying out a DoS attack or disclosing information.
“The bug has a severity score of 8.2. Despite being slightly more severe, local access is necessary for exploitation. This weakness comes from insufficient access control in a hardware abstraction driver and it exists in software versions before 6.1.0731”, — note in the company.
A similar vulnerability was found in the Computing Improvement Program (CVE-2019-11162), but local access and authentication were also required to take advantage of it.
In addition, this month Intel developers eliminated a number of less dangerous problems in their products:
- all versions of Raid Web Console 2 were affected by CVE-2019-0173. Now the manufacturer recommends uninstalling this version and upgrading to RAID Web Console 3 version 7.009.011.000 or later;
- Intel Authenticate found a medium severity vulnerability (CVE-2019-11143) that could lead to privilege escalation;
- Intel Driver & Support Assistant fixed a medium severity vulnerability (CVE-2019-11145), which could also be used to elevate privileges (but required local access);
- Intel Remote Displays SDK fixed the medium severity vulnerability (CVE-2019-11148), which could also be used to increase privileges.