Intel is warning of a high-severity flaw in the firmware of its converged security and management engine (CSME), which if exploited could allow privilege escalation, denial of service and information disclosure.
CSME powers Intel’s Active Management System hardware and firmware technology, used for remote out-of-band management in consumer or corporate PCs, Internet of Things (IoT) devices, and workstations.
The subsystem of CSME has an improper authentication bug (CVE-2019-14598), which has a CVSS score of 8.2 out of 10.0, making it high severity. A privileged user, with local access, could exploit the flaw to launch an array of attacks, according to Intel.
“Intel recommends updating to Intel CSME versions 12.0.49, 13.0.21, and 14.0.11 or later provided by the system manufacturer that addresses these issues,” according to Intel’s advisory. “Intel recommends IOT customers using Intel CSME version 12.0.55 to update to 12.0.56 or later provided by the system manufacturer that addresses these issues.”