Intel Fixes High-Severity VulnerabilitiesFlaws in Processors Could Enable Privilege Escalation Attacks
Chip manufacturer Intel has released 22 security advisories, including seven with a high severity rating that let a privileged user enable local access to targeted devices.
The advisories released this week address flaws that can be exploited for escalation of privilege, denial of service and information disclosure, among others.
Intel did not respond to Information Security Media Group's request for technical details and the impact of the vulnerabilities on companies that use the affected products.
Vulnerability in BIOS Firmware
"Potential security vulnerabilities in the BIOS firmware for some Intel processors may allow escalation of privilege, denial of service or information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities," the advisory states.
A BIOS performs hardware initialization during the booting process and provides runtime services for operating systems and programs.
This advisory includes 10 high-severity privilege escalation vulnerabilities. One of the vulnerabilities, tracked as CVE-2021-0103, has a CVSS score of 8.2, which is rated high. It exploits insufficient control flow management in the firmware for some Intel processors, which could allow a privileged user to potentially enable an escalation of privilege via local access.
The second vulnerability, tracked as CVE-2021-0114, has a CVSS score of 7.9, also rated high. it exploits an unchecked return value in the firmware for some Intel processors that allows a privileged user to potentially enable an escalation of privilege via local access.
Another critical vulnerability, tracked as CVE-2021-0115, has a CVSS score of 7.9. It is a buffer overflow in the firmware for some Intel processors. And the vulnerability tracked as CVE-2021-0116 is an out-of-bounds write in the firmware, that affects some Intel processors. This vulnerability also has a CVSS score of 7.9.
Both CVE-2021-0115 and CVE-2021-0116 allow a privileged user to potentially enable an escalation of privilege via local access.
A vulnerability tracked as CVE-2021-0099, with a CVSS score of 7.8 and rated high, is an insufficient control flow management in the firmware for some Intel processors. The vulnerability tracked as CVE-2021-0156 is an improper input validation in the firmware affecting some Intel processors. It has a CVSS score of 7.5 and is rated high.
Intel recommends users immediately update to the latest versions provided by the system manufacturer that addresses these issues.
Another high-severity vulnerability issue addressed by the chip maker is a serious security flaw found in the Kernelflinger open-source project, tracked as CVE-2021-33137, with a CVSS score of 7.8 and rated high.
"Intel has issued a Product Discontinuation notice the Kernelflinger open source project and recommends that users of Kernelflinger uninstall it or discontinue use at their earliest convenience," the Intel advisory says.
"A potential security vulnerability in the Kernelflinger open source project maintained by Intel may allow escalation of privilege. Intel is releasing source code updates to mitigate this potential vulnerability and has issued a Product Discontinuation Notice for Kernelflinger," it says.
Intel has also issued key fixes for Server Platform Services, Active Management Technology and Power Management Controller and has sent advisories for Intel Quartus Prime components, PROSet/Wireless WiFi and Killer WiFi products and the AMT SDK, Setup and Configuration Software and Management Engine BIOS extensions.
In November 2021, Intel issued a similar security advisory for two high-severity vulnerabilities in the BIOS - basic input/output system - reference code in Intel processors that may allow privilege escalation attacks (see: Intel Fixes 2 High-Severity Vulnerabilities).
The vulnerabilities, tracked as CVE-2021-0157 and CVE-2021-0158, each had a high CVSS score of 8.2. CVE-2021-0157 concerns the insufficient control flow management in the BIOS firmware for some Intel processors, and CVE-2021-0158 entails improper input validation in the same firmware.