Intel Warns of Critical Info-Disclosure Bug in Security Engine
A critical security bug in the Intel Converged Security and Manageability Engine (CSME) could allow escalation of privilege, denial of service or information disclosure.
The details are included in a bug advisory that in total covers 77 vulnerabilities, 67 of which were found by internal Intel staff. The silicon giant has rolled out firmware updates and software patches to address these, which range in severity from the one critical flaw to a low-severity local privilege-escalation issue.
The affected products are: Intel CSME, Intel Server Platform Services (SPS), Intel Trusted Execution Engine (TXE), Intel Active Management Technology (AMT), Intel Platform Trust Technology (PTT) and Intel Dynamic Application Loader (DAL).
[...]The critical flaw is a heap overflow bug with a score of 9.6 out of 10 on the CVSS v.3 severity scale (CVE-2019-0169). It exists in the subsystem in the Intel CSME, which is a standalone chip on Intel CPUs that is used for remote management. The vulnerability and[sic] could allow an unauthenticated user to enable escalation of privileges, information disclosure or denial of service via adjacent access.
“Adjacent access” means that an attack must be launched from the same shared physical network or local IP subnet, or from within the same secure VPN or administrative network zone.
Read the rest of the article for details on the additional vulnerabilities that were addressed.
(Score: 0) by Anonymous Coward on Friday November 15 2019, @11:07AM
Maybe? That's a required component of the DRM decryption engine in modern graphics cards!