Intel Fixes High-Severity Flaws in NUC, Discontinues Buggy Compute Module:
Intel has stomped out high-severity flaws in its Next Unit Computing (NUC) mini PC firmware, and in its Modular Server MFS2600KISPP Compute Module.
Overall, Intel addressed nine vulnerabilities across six products in its April security update – two of those being high-severity, and the rest being medium-severity. If exploited, the flaws could allow attackers to escalate privileges or launch denial-of-service (DoS) attacks.
One of the high-severity flaws stems from a compute module (MFS2600KISPP) used in Intel's modular server system, which is a blade system for Intel motherboards and processors first introduced in 2008. The vulnerability stems from an improper conditions check, which could allow an unauthenticated user to potentially enable escalation of privilege (via adjacent access). The flaw (CVE-2020-0578) ranks 7.1 out of 10 on the CVSS severity scale.
In addition to this flaw, two medium-severity flaws were also discovered in the same compute module: A buffer overflow (CVE-2020-0576) vulnerability that could allow an unauthenticated attacker to launch a DoS attack (via adjacent access); and an insufficient control flow glitch (CVE-2020-0577) that allows an unauthenticated user to potentially escalate privileges via adjacent access.
All versions of the MFS2600KISPP compute module are affected, but Intel said that it is not releasing security updates to mitigate the bugs – instead, it will discontinue the MFS2600KISPP compute module entirely.
"Intel has issued a product-discontinuation notice for Intel Modular Server MFS2600KISPP Compute Module and recommends that users of the Intel Modular Server MFS2600KISPP Compute Module to discontinue use at their earliest convenience," according to Intel's advisory.
Previously:
High-Severity Flaws Plague Intel Graphics Drivers
Related Stories
High-Severity Flaws Plague Intel Graphics Drivers:
Intel patched six high-severity flaws in its graphics drivers, as well as other vulnerabilities in its NUC firmware, and a load value injection vulnerability that could allow attackers to steal sensitive data.
Intel has issued security patches for six high-severity vulnerabilities in its Windows graphics drivers which, if exploited, could enable escalation of privilege, denial of service (DoS) and information disclosure.
The graphics driver is software that controls how graphic components work with the rest of the computer. Intel develops graphics drivers for Windows OS to communicate with specific Intel graphics devices, for instance. In addition to these six high-severity flaws, Intel stomped out 17 vulnerabilities overall in its graphics drivers on Tuesday. Separately, Intel addressed a load value injection (LVI) vulnerability (CVE-2020-0551), which it ranked as medium severity, that researchers say could allow attackers to steal sensitive data.
The most severe of these is a buffer-overflow vulnerability (CVE-2020-0504) existing in Intel graphic drivers before versions 15.40.44.5107, 15.45.30.5103 and 26.20.100.7158. The flaw scores 8.4 out of 10 on the CVSS scale, making it high-severity. If exploited, this flaw "may allow an authenticated user to potentially enable a denial of service via local access," said Intel.
(Score: 1, Interesting) by Anonymous Coward on Thursday April 16 2020, @08:33AM (1 child)
Like Sony BMG and their rootkit, I no longer purchase or support products from Sony.
Whenever I see Intel systems on sale, I just snicker and whisper, "How pathetic." Usually the price is jacked up high anyway.
I completely abandoned Intel a decade ago, and it looks like I made the right decision, for more reasons than one!
My AMD systems have been, for the most part, rock solid and no matter how old/new they all still function today.
(Score: 2) by hendrikboom on Thursday April 16 2020, @12:41PM
Alas! My Librem 15 has an intel processor. Likely not the same one, though. But it presumably has its own flaws.
(Score: 2) by driverless on Thursday April 16 2020, @09:28AM (1 child)
Can someone with more knowledge of what this is explain where the vulnerability is? A compute module is a piece of hardware, so a "buffer overflow in a compute module" would imply that a rain of bits falls off the end of the circuitry. Is this a buffer overflow in the BIOS, and if so what role does the BIOS play post-boot? Is it a buffer overflow in a driver used for the compute module? If so, for which OS?
As for the discontinuation of faulty products, this is par for the course for Intel. I still have some of their ingenious self-bricking SSDs which they discontinued rather than support them. Isn't this what class-action lawsuits are for?
(Score: 2) by crafoo on Thursday April 16 2020, @12:58PM
It's in the firmware. So every OS.
(Score: 0) by Anonymous Coward on Thursday April 16 2020, @04:58PM
"recommends that users of [x] to discontinue use at their earliest convenience."
can we get some clubbermint money to buy a new, less faulty one, please?