Intel Fixes 2 High-Severity VulnerabilitiesFlaws in Processors Could Enable Privilege Escalation Attacks
Chipmaker Intel has issued a security advisory for two high-severity vulnerabilities in the BIOS - basic input/output system - reference code in Intel processors that may allow privilege escalation attacks.
A BIOS performs hardware initialization during the booting process and provides runtime services for operating systems and programs.
CVE-2021-0157 concerns the insufficient control flow management in the BIOS firmware for some Intel processors, and CVE-2021-0158 concerns improper input validation in the same firmware.
Exploitation of both vulnerabilities can only be achieved with local access to the targeted systems, according to researchers Itai Liba and Assaf Carlsbad at security firm SentinelOne, Intel says.
Intel products affected by the vulnerabilities include Xeon Processor E, E3 v6 and W Family; third-generation Xeon scalable processors; seventh-, 10th- and 11th-generation core processors; core X-series processors; Celeron processor N series; and Pentium silver processor series, the researchers say.
It's important to remember that the BIOS firmware precedes the operating system's security checks and plays a crucial role as a foundation of trust for all of the processes involved when the system starts up, researcher Carlsbad told Information Security Media Group.
"These security vulnerabilities can affect a wide range of enterprise processor families and allow malicious attackers to obtain higher privilege levels on vulnerable devices. Our research [shows that the vulnerabilities] affect Intel processors, and [those of] other leading device vendors such as Dell and HP," Carlsbad says.
"The vulnerabilities we found are LPE bugs that allow attackers to escalate their privileges to SMM. SMM code is considered to be highly privileged and is usually isolated from the 'outside world,'" Carlsbad told news site Bleeping Computer.
To achieve this isolation, SMM code runs from its own memory space known as SMRAM, which is neither readable nor writable by the OS, Carlsbad said.
"Using the vulnerabilities we discovered, attackers running with OS-level privileges can trigger corruption of SMRAM memory in a controlled manner. By leveraging the memory corruption, they can eventually get to a point where they are able to install a BIOS-level implant, thus gaining a very stable and stealthy persistence on the infected device."
Intel did not respond to Information Security Media Group's request for technical details and the impact of the vulnerabilities on companies that use the affected products, however the SentinelOne researchers plan to release technical details on the SentinelLabs research site in the "following days," Carlsbad told ISMG.
The company has recommended that users update to the latest version of software offered by the system manufacturer to address the issues caused by the vulnerabilities.
While these are vulnerabilities that must be patched by organizations, they need to do so in the overall context of their risk profile, says Javvad Malik, lead security awareness advocate at cybersecurity firm KnowBe4. "The fact that you need either physical access to the system or an already privileged account to exploit these make them harder and less likely to exploit," he tells ISMG.
Second Vulnerability in Two Weeks
The report on the high-severity BIOS vulnerabilities comes a week after Intel released a separate security advisory for a flaw that affects laptops, cars and embedded systems.
Tracked as CVE-2021-0146, this vulnerability enables testing or debugging modes on multiple Intel processor lines, which could allow an unauthorized user with physical access to the system to obtain "enhanced privileges."
The vulnerability affects Intel Atom E3900 series IoT processors, used by car manufacturers in more than 30 models, according to Mordor Intelligence.
The flaw can also affect Intel's Pentium, Celeron and Atom processors on the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms, which are used in both mobile devices and embedded systems, according to a Positive Technologies report.
"The threat affects a wide range of ultra-mobile netbooks and a significant base of Intel-based IoT systems, from home appliances and smart home systems to cars and medical equipment," the Positive Technologies researchers Mark Ermolov and Dmitry Sklyarov note.
The flaw has a CVSS score of 7.1.
“One example of a real threat is lost or stolen laptops that contain confidential information in encrypted form,” Ermolov says. “Using this vulnerability, an attacker can extract the encryption key and gain access to information within the laptop. The bug can also be exploited in targeted attacks across the supply chain."
An employee of an Intel processor-based device supplier could, in theory, extract the Intel CSME firmware key and deploy spyware that security software would not detect, Ermolov says. This could facilitate the extraction of the root encryption key used in Intel Platform Trust Technology and Enhanced Privacy ID solutions that protect digital content from illegal copying.
"For example, a number of Amazon e-book models use Intel EPID-based protection for digital rights management. Using this vulnerability, an intruder might extract the root EPID key from a device [e-book] and then, having compromised Intel EPID technology, download electronic materials from providers in file form, copy and distribute them," says Ermolov.
The vulnerability is a debugging functionality with excessive privileges, he says. To avoid problems in the future and prevent the possible bypassing of built-in protection, manufacturers should be more careful in their approach to security provision for debug mechanisms, he adds.
Positive Technologies researchers recommend installing the UEFI BIOS updates published by end manufacturers of the respective electronic equipment to fix this vulnerability.