Intel patched a high-severity bug in the CSME subsystem, allowing an attacker to escalate privilege, disclose information, and deny service. Intel Converged Security and Management Engine (CSME) is a chipset subsystem that powers Intel’s Active Management technologies. CSME is used for remote out-of-band management in consumer or corporate PCs, Internet of Things (IoT) devices, and workstations. A reliable vulnerability management tool can help detect the vulnerabilities.
This bug was discovered internally by Intel’s security team and is tracked as CVE-2019-14598. CVE-2019-14598(INTEL-SA-00307) does not require any user interaction for exploitation and affects the system’s Confidentiality, Integrity, and Availability. But, the attacker needs to be a highly privileged user with local access to the system. To patch this vulnerability, a patch management tool is required.
Intel has also released medium and low-severity advisories for five other vulnerabilities. These vulnerabilities allow an authenticated user to escalate privileges via local access.
Advisories:
- INTEL-SA-00273 : A vulnerability(CVE-2020-0560) in Intel® Renesas Electronics® USB 3.0 Driver exists due to an improper permissions issue in the installer. Intel has not released any updates to mitigate this vulnerability and has issued a Product Discontinuation notice for this product. Intel recommends that the usage of this drive discontinued or uninstalled at the earliest.
- INTEL-SA-00336 : A vulnerability(CVE-2020-0561) in Intel® Software Guard Extensions (SGX) SDK exists due to an improper initialization issue.
- INTEL-SA-00339 : A vulnerability CVE-2020-0562() in Intel® RAID Web Console 2 (RWC2) exists due to an improper permissions issue.
- INTEL-SA-00340 : A vulnerability(CVE-2020-0563) in Intel® Manycore Platform Software Stack (MPSS) exists due to an improper permissions issue.
- INTEL-SA-00341 : A vulnerability(CVE-2020-0564) in Intel® RAID Web Console 3 (RWC3) exists due to an improper permissions in the installer.
Impact
These vulnerabilities could allow attackers to escalate privileges, disclose sensitive information, or cause denial of service attacks.
Affected Products
- Intel® CSME versions before 12.0.49 (IOT only: 12.0.56), 13.0.21, 14.0.11
- All versions of Intel® Renesas Electronics® USB 3.0 Driver
- Intel® SGX SDK before v2.6.100.1 for Windows, and Intel® SGX SDK before v2.8.100.1 for Linux
- All versions of Intel® RWC2
- Intel® MPSS before version 3.8.6.
- Intel® RWC3 before version 7.010.009.000.
Solution
We recommend installing the Intel security updates as soon as possible to stay protected.