Stories
Slash Boxes
Comments

SoylentNews is people

Intel Warns of Critical Info-Disclosure Bug in Security Engine

posted by martyb on Wednesday November 13 2019, @12:55AM   Printer-friendly
from the we-should-all-be-using-riscv dept.

upstart writes in with a submission, via IRC, for carny.

Intel Warns of Critical Info-Disclosure Bug in Security Engine

A critical security bug in the Intel Converged Security and Manageability Engine (CSME) could allow escalation of privilege, denial of service or information disclosure.

The details are included in a bug advisory that in total covers 77 vulnerabilities, 67 of which were found by internal Intel staff. The silicon giant has rolled out firmware updates and software patches to address these, which range in severity from the one critical flaw to a low-severity local privilege-escalation issue.

The affected products are: Intel CSME, Intel Server Platform Services (SPS), Intel Trusted Execution Engine (TXE), Intel Active Management Technology (AMT), Intel Platform Trust Technology (PTT) and Intel Dynamic Application Loader (DAL).

[...]The critical flaw is a heap overflow bug with a score of 9.6 out of 10 on the CVSS v.3 severity scale (CVE-2019-0169). It exists in the subsystem in the Intel CSME, which is a standalone chip on Intel CPUs that is used for remote management. The vulnerability and[sic] could allow an unauthenticated user to enable escalation of privileges, information disclosure or denial of service via adjacent access.

“Adjacent access” means that an attack must be launched from the same shared physical network or local IP subnet, or from within the same secure VPN or administrative network zone.

Read the rest of the article for details on the additional vulnerabilities that were addressed.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Intel Warns of Critical Info-Disclosure Bug in Security Engine | Log In/Create an Account | Top | 27 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by DannyB on Wednesday November 13 2019, @05:50PM (1 child)

    by DannyB (5839) Subscriber Badge on Wednesday November 13 2019, @05:50PM (#919938) Journal

    Intel wanted to eliminate anonymity a couple decades ago, by having every CPU they produce uniquely identify itself

    Maybe they did it already.

    Shirley, Intel would not have any undocumented instructions that return the unique serial number of this CPU.

    And Shirley would not have secret API call in Windows which can be called by a Browser or other applications.

    And surely no browser would have a hidden property to access this information so that web sites could know the specific device you are browsing from -- even across browsers, different users, different OS installs, different OSes, etc.

    --
    To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Friday November 15 2019, @11:07AM

    by Anonymous Coward on Friday November 15 2019, @11:07AM (#920653)

    Maybe? That's a required component of the DRM decryption engine in modern graphics cards!