Intel discloses 16 BIOS firmware vulnerabilities

Image:

Intel discloses 16 BIOS firmware vulnerabilities

Most serious could allow a privileged user to enable an escalation of privilege via local access

Intel has disclosed details of 16 new BIOS vulnerabilities impacting its processors which could enable malicious cyber actors to bypass cyber security measures in the operating system to steal sensitive data.

In a security bulletin published on Tuesday, the company said that these security weaknesses impact its Core processors from 6th to 11th generations, as well as Xeon processors from the W, E, and D series.

Ten of the security bugs disclosed by Intel have been rated as 'high' in severity, three are 'medium' severity, while one is ranked as 'low' in severity.

The bugs arise due to software weaknesses in Intel BIOS firmware, such as buffer overflow, poor control flow management, pointer issues and improper validation.

All of them enable attackers to escalate privileges when needed. Some bugs that include incorrect default permissions and improper access control could also enable cyber actors to launch denial of service attacks against the local machine.

The 16 flaws are tracked as: CVE-2021-0091, CVE-2021-0092, CVE-2021-0093, CVE-2021-0099, CVE-2021-0103, CVE-2021-0107, CVE-2021-0111, CVE-2021-0114, CVE-2021-0115, CVE-2021-0116, CVE-2021-0117, CVE-2021-0118, CVE-2021-0119, CVE-2021-0124, CVE-2021-0125 and CVE-2021-0156.

The most serious of them is CVE-2021-0103, which received a CVSS based score of 8.2 out of 10. According to Intel, this weakness arises due to insufficient control flow management in the firmware, which could allow a privileged user to potentially enable an escalation of privilege via local access.

Fortunately, all 16 bugs require physical access to the system in order to be exploited, meaning that they can't be abused remotely.

While that may be good news for companies that keep their endpoints in safe locations, it does not make these flaws harmless.

Business where team members use business laptops or mobile workstations may find themselves in trouble because of these bugs.

According to Intel, the products affected by these bugs include:

11th Generation Intel Core Processor Family
10th Generation Intel Core Processor Family
9th Generation Intel Core Processor Family
8th Generation Intel Core Processor Family
7th Generation Intel Core Processor Family
6th Generation Intel Core processor Family
2nd Generation Intel Xeon Scalable Processor Family
Intel Xeon Scalable Processor Family
Intel Xeon Processor W Family
Intel Xeon Processor E Family
Intel Xeon Processor D Family
Intel Core X-series Processor Family
Intel Atom Processor C3XXX Family

Intel credited Hugo Magalhaes from Oracle for the discovering eight vulnerabilities and reporting them to the company.

It said it is releasing firmware updates to mitigate these vulnerabilities. The company has also advised users to update to the latest versions provided by the system manufacturer to address the issues.

It is worth noting here that all these 16 bugs are new and unrelated to the recently-announced vulnerabilities found in the InsydeH2O UEFI firmware, impacting millions of devices from HP, Lenovo, Dell and other vendors.

Researchers said malicious actors could use these flaws to elevate privileges and execute arbitrary code or install persistent malware that cannot be easily erased.

They could also exploit these vulnerabilities to bypass hardware security features like SecureBoot and Intel BootGuard, and create backdoor communication channels to exfiltrate data.