Intel has been in the spotlight for security research ever since the Meltdown and Spectre flaws were revealed in 2018. Researchers have recently started to uncover new flaws in Intel’s software, too, including a high-severity flaw in its processor diagnostic tool, found by security researcher Jesse Michael from Eclypsium, and a bug in its data center SSDs, found by Intel engineers.
Two New Flaws Found in Intel's Software
The flaw in the processor diagnostic tool (CVE-2019-11133) is rated 8.2 out 10 on the CVSS 3.0 scale, making it a high-severity vulnerability. The flaw “may allow an authenticated user to potentially enable escalation of privilege, information disclosure or denial of service via local access,” according to Intel’s latest security advisory. Versions of the tool that are older than 188.8.131.52 are affected.
The second vulnerability, found by Intel’s internal team, is a medium-severity vulnerability in Intel’s SSD DC S4500/S4600 series sold to data center customers. The flaw found in the SSD firmware versions older than SCV10150 obtained a 5.3 score on the CVSS 3.0 scale, so it was labeled medium-severity. The bug may allow an unprivileged user to enable privilege escalation via physical access.
As one of the flaws was uncovered by Intel itself and for the other the Eclypsium research coordinated with Intel for its disclosure, Intel was able to have ready the patches in time for the public announcement.
Intel's Security Issues Continue
Last month, Intel revealed multiple flaws in the company’s NUC system firmware, Compute Cards and the RAID Web Console 3, many of which were high-severity. In total, Intel patched 25 flaws across multiple platforms.
All of these flaws show us that Intel's security strategy was lacking in the past, to say the least. If Intel is now making an honest effort to secure its products, then we should see fewer and fewer serious security issues affecting Intel’s next-generation products. However, things may get worse before they get better, as more researchers focus on uncovering all of Intel’s past security mistakes.