Intel issued yet another security advisory this week, this time saying that its NUC mini PCs are vulnerable to escalation of privilege attacks. The company also released firmware patches for the mini PCs in order to mitigate the potential attacks. Researchers have found multiple vulnerabilities in NUC PCs this year.
NUC owners are strongly advised to download the latest update for their model’s firmware, which you can get from the company’s website.
According to Intel’s advisory, the five vulnerabilities could allow attackers to escalate privileges on a NUC device. Two of them received a Common Vulnerability Scoring System (CVSS) base score of 7.8, and three got a 7.5 score, all of which represent high severity vulnerabilities.
The first flaw (CVE-2019-14608) is due to improper buffer restrictions in the NUC firmware, which could allow attackers to enable privilege escalation via local access to the device.
The second vulnerability (CVE-2019-14610) describes improper access control in NUC firmware that could allow an authenticated user to enable escalation of privilege via local access.
The third vulnerability (CVE-2019-14609) comes from improper input validation in firmware that also lead to privilege escalation via local access.
A fourth NUC firmware flaw (CVE-2019-14611) was an integer overflow that could result in the same type of attack.
The final flaw (CVE-2019-14612) is an out of bounds write in NUC firmware that attackers could also exploit to escalate system privileges via local access.
Besides all of the speculative execution attacks against its processors, Intel has also had to issue multiple security advisories for its NUC family of devices this year. The company has been attempting to prioritize security since the Spectre CPU vulnerabilities were revealed, and, in part, that means encouraging researchers to look for vulnerabilities on its platforms.
Intel didn't have to ask twice because the vulnerability disclosures seem to keep on coming. It remains to be seen if Intel's attempt to rid its products of security flaws will result in fewer bugs as the years go by, or if we’ll see an increase in bug disclosures as more researchers investigate Intel’s products.