silversurfer

Level 59
Verified
Trusted
Content Creator
Malware Hunter
Intel is warning of a high-severity flaw in the firmware of its converged security and management engine (CSME), which if exploited could allow privilege escalation, denial of service and information disclosure.

CSME powers Intel’s Active Management System hardware and firmware technology, used for remote out-of-band management in consumer or corporate PCs, Internet of Things (IoT) devices, and workstations.

The subsystem of CSME has an improper authentication bug (CVE-2019-14598), which has a CVSS score of 8.2 out of 10.0, making it high severity. A privileged user, with local access, could exploit the flaw to launch an array of attacks, according to Intel.

“Intel recommends updating to Intel CSME versions 12.0.49, 13.0.21, and 14.0.11 or later provided by the system manufacturer that addresses these issues,” according to Intel’s advisory. “Intel recommends IOT customers using Intel CSME version 12.0.55 to update to 12.0.56 or later provided by the system manufacturer that addresses these issues.”
 

silversurfer

Level 59
Verified
Trusted
Content Creator
Malware Hunter

plat1098

Level 17
Verified
Geez, Intel, my motherboard was already end of life months ago! 😡 🤜 👃

It seems not even the Trusted Platform Module's firmware can be upgraded on devices within the past five years. One thing I gleaned: in order for a successful exploit, one is already targeted and/or advanced malware/rootkit is already running w/elevated privileges.

Not replacing my hardware because of this. And the article says that's exactly what one must do to avoid this.
 
Top