Intel Finally Patches Flaw in Security Engine
Intel reported high-severity flaw in the firmware of its converged security and management engine (CSME). The high-severity vulnerability could allow denial of service, privilege escalation and information farming. CSME powers Intel's Active Management System hardware and firmware technology, used for remote management in PCs and Internet of Things. The subsystem of CSME has an authentication bug. A privileged user, with local access, could exploit the flaw to launch attacks, according to Intel.
It's not the first flaw found in CSME. In November, a critical flaw in CSME was patched that could allow escalation of privilege, denial of service or information disclosure. Another critical flaw discovered in May could allow an authenticated user to enable escalation of privilege over network access in CSME.
A flaw was found found in Intel Renesas Electronics USB 3 driver, the driver for the USB 3 Renesas Electronics adapter found in many Intel motherboard. The flaw allows privilege escalation and comes from improper permissions in the installer. Instead of releasing updates, Intel issued a product discontinuation notice for the driver. All versions of the driver are affected.
These are only the latest Intel security updates. In January, Intel warned of a high-severity vulnerability in its performance analysis tool called Intel VTune Profiler. The flaw allows a hacker to run a privilege escalation attack, giving them unauthorized system access to systems. Also in January, Intel disclosed a new speculative execution attack, called CacheOut, that could allow hackers to trigger data leaks from most Intel CPUs.
Intel recommends updating to Intel CSME versions 12.0.49, 13.0.21, and 14.0.11 or later if the manufacturer releases the updates. Intel recommends IOT customers using Intel CSME version 12.0.55 to update to 12.0.56 or later provided by the system manufacturer.