Intel NUCs Hit With Five New Security Flaws

(Image credit: Intel)

Intel issued yet another security advisory this week, this time saying that its NUC mini PCs are vulnerable to escalation of privilege attacks. The company also released firmware patches for the mini PCs in order to mitigate the potential attacks. Researchers have found multiple vulnerabilities in NUC PCs this year.

NUC owners are strongly advised to download the latest update for their model’s firmware, which you can get from the company’s website.

According to Intel’s advisory, the five vulnerabilities could allow attackers to escalate privileges on a NUC device. Two of them received a Common Vulnerability Scoring System (CVSS) base score of 7.8, and three got a 7.5 score, all of which represent high severity vulnerabilities. 

The first flaw (CVE-2019-14608) is due to improper buffer restrictions in the NUC firmware, which could allow attackers to enable privilege escalation via local access to the device. 

The second vulnerability (CVE-2019-14610) describes improper access control in NUC firmware that could allow an authenticated user to enable escalation of privilege via local access.

The third vulnerability (CVE-2019-14609) comes from improper input validation in firmware that also lead to privilege escalation via local access.

A fourth NUC firmware flaw (CVE-2019-14611) was an integer overflow that could result in the same type of attack.

The final flaw (CVE-2019-14612) is an out of bounds write in NUC firmware that attackers could also exploit to escalate system privileges via local access.

Besides all of the speculative execution attacks against its processors, Intel has also had to issue multiple security advisories for its NUC family of devices this year. The company has been attempting to prioritize security since the Spectre CPU vulnerabilities were revealed, and, in part, that means encouraging researchers to look for vulnerabilities on its platforms. 

Intel didn't have to ask twice because the vulnerability disclosures seem to keep on coming. It remains to be seen if Intel's attempt to rid its products of security flaws will result in fewer bugs as the years go by, or if we’ll see an increase in bug disclosures as more researchers investigate Intel’s products.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Darkbreeze
    And the hit's just keep on coming. Dang, it's been a really bad two years for Intel. If it weren't for the fact that they kept their boot on the neck of AMD and the cruise control set to 55mph when AMD was in bad shape, I'd almost feel sorry for them. Almost.
    Reply
  • w_barath
    55mph? That would imply that they were keeping up with the average flow of traffic. While AMD was down, Intel's generation-on-generation improvements dropped to 10% of that they had been while they faced real competition. I think saying they shifted to neutral and coasted would be charitable!
    Reply
  • InvalidError
    Darkbreeze said:
    Dang, it's been a really bad two years for Intel.
    Don't rush to clear AMD just because Intel got a rougher time with side-channel exploits so far, researchers have had five more years to poke at Intel's current architectures than they do with Ryzen. More popular OSes, browsers, etc. get more scrutiny simply because there is that much of a broader install base to potentially cash in on successful exploits with. AMD's market share is only ~20%, interest in AMD-specific exploits is going to grow with AMD's success and AMD may get its share of vendor-specific exploits then. I'd be surprised if nothing Zen-specific pops up within the next three years.
    Reply
  • setx
    Again this nonsense that Intel has many exploits because everyone only interested in finding their exploits...
    How about ARM? They dominate mobile and embedded markets and still no one is interested in finding their exploits? Sure!
    Reply
  • InvalidError
    setx said:
    How about ARM? They dominate mobile and embedded markets and still no one is interested in finding their exploits? Sure!
    ARM cores are still FAR simpler than x86 ones due to power efficiency constraints preventing mobile ARM from using more aggressive performance optimizations. Give it some more time to get into higher-power laptop and server variants designed to push much higher per-thread IPC.

    Also, most of Intel's recent security flaws involve SMT, ARM does not have SMT yet.
    Reply
  • bit_user
    InvalidError said:
    Also, most of Intel's recent security flaws involve SMT, ARM does not have SMT yet.
    At least one of the fully custom ARMv8-A cores have it (ThunderX2), as does ARM's own Cortex-A65AE.
    Reply