Intel’s internal team this week disclosed a new vulnerability (opens in new tab) in the company’s Converged Security and Management Engine (CSME), which could allow privilege escalation, denial of service and information disclosure attacks against PCs powered by certain Intel CPUs.
The bug affects all Intel CPUs that come with a CSME microcontroller unit (MCU), with the exception of newer Ice Lake and Comet Lake processor generations. The vulnerability has a CVSS score of 8.2 out of 10, classifying it as “high severity.”
The firmware flaw is an improper authentication in a subsystem in Intel CSME versions 12.0 through 12.0.48, and versions 13.0-13.0.20 and 14.0-14.0.10 may still allow attackers to enable escalation of privilege, denial of service or information disclosure if they have local access to the device via some other bugs.
On Internet of things (IoT) devices, only firmware 12.0.56 is affected.
Security Issues Keep Plaguing Intel Firmware
Only a few years ago, we’d hardly even hear about security issues with Intel firmware. But these days, especially with Intel Management Engine (ME), one of several firmware subsets of CSME, there seem to be a couple (opens in new tab) of major disclosures every year (opens in new tab).
Exploits of Intel’s ME/CSME chips and firmware can enable an attacker to remotely bypass a computer’s security solutions and take it over. That's because remote out-of-band management enabled by ME/CSME and Intel Active Management Technologies (AMT) is a "feature" Intel implemented in its processors.
Privacy activists and system vendors (opens in new tab) have long argued that Intel ME and the AMT firmware are too dangerous to be enabled on most devices, especially on consumer ones where there’s little to no need for them.
Mitigation
Intel recommends asking your system manufacturers for the CSME firmware updates versions 12.0.49, 13.0.21 and 14.0.11 or later.
As for most firmware updates, chances are system manufacturers will only update the most recent devices, with the vast majority of in-use devices remaining vulnerable to attacks.