Critical Intel Flaw Afflicts Several Motherboards, Server Systems, Compute Modules:
A critical privilege-escalation flaw affects several popular Intel motherboards, server systems and compute modules.
Intel is warning of a rare critical-severity vulnerability affecting several of its motherboards, server systems and compute modules. The flaw could allow an unauthenticated, remote attacker to achieve escalated privileges.
The recently patched flaw (CVE-2020-8708) ranks 9.6 out of 10 on the CVSS scale, making it critical. Dmytro Oleksiuk, who discovered the flaw, told Threatpost that it exists in the firmware of Emulex Pilot 3. This baseboard-management controller is a service processor that monitors the physical state of a computer, network server or other hardware devices via specialized sensors.
[...] The critical flaw stems from improper-authentication mechanisms in these Intel products before version 1.59.
In bypassing authentication, an attacker would be able to access to the KVM console of the server. The KVM console can access the system consoles of network devices to monitor and control their functionality. The KVM console is like a remote desktop implemented in the baseboard management controller – it provides an access point to the display, keyboard and mouse of the remote server, Oleksiuk told Threatpost.
The flaw is dangerous as it's remotely exploitable, and attackers don't need to be authenticated to exploit it – though they need to be located in the same network segment as the vulnerable server, Oleksiuk told Threatpost.
"The exploit is quite simple and very reliable because it's a design flaw," Oleksiuk told Threatpost.
(Score: 1) by fustakrakich on Thursday August 13 2020, @05:17PM
Aren't they all?
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Thursday August 13 2020, @05:48PM (1 child)
How many vulnerabilities rely on Intel management engines? It's almost like Intel CPU's are somewhat secure, so "management" engines had to be added on, to introduce these vulnerabilities. And, firmware is always a proprietary blob, so no one can actually look at it.
(Score: 3, Insightful) by DannyB on Thursday August 13 2020, @07:55PM
I remember a time, long, long ago, in a galaxy far, far away. In a different millennium, now swept away in the sands of time. A time when a microprocessor did just one thing, and did it well: execute instructions. My those were the daze.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2) by takyon on Thursday August 13 2020, @06:23PM
That product they discontinued?
https://threatpost.com/intel-high-severity-flaws-nuc-modular-server-compute-module/154800/ [threatpost.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Thursday August 13 2020, @06:42PM (3 children)
I'm really starting to think this is all planned. "Lets insert this non-fixable critical security bug here. It will take a couple of years to be found then everyone will have to upgrade so they can be safe. We win with more sales to replace hardware that is performing perfectly fine, and dont get blamed for having to go down the 'planned obsolesce' route to keep our sales up."
(Score: 2) by DannyB on Thursday August 13 2020, @07:56PM
Your explanation sounds good except for the sentence I just quoted.
Replace with:
It will take a couple years before we intentionally leak it.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2) by zoward on Thursday August 13 2020, @08:53PM (1 child)
That's assuming we don't replace all that Intel kit with AMD.
(Score: 0) by Anonymous Coward on Thursday August 13 2020, @09:04PM
And then switch back to Intel when a similar flaw is found in the AMD PSP?
(Score: 2) by Bot on Thursday August 13 2020, @06:48PM
If I get the situation straight, next time Intel will push for planned obsolescence by having motherboards mail to random users.
"hello stranger, I am vulnerable, ping my IPv6 at port 40535 for details, quick, I feel lonely"
Of course the campaign will fail because that's what Intel does, lately.
Account abandoned.
(Score: 0) by Anonymous Coward on Saturday August 15 2020, @03:45AM (2 children)
Title:
Link text:
1st sentence:
2nd sentence:
(Score: 2) by driverless on Saturday August 15 2020, @04:05AM (1 child)
So you're saying it affects motherboards, server systems and compute modules? Or have I misread something somewhere?
(Score: 0) by Anonymous Coward on Saturday August 15 2020, @05:09AM
Citation needed.