Intel has patched serious vulnerabilities affecting a wide range of the company’s processor families. The discovered bugs allow attackers to gain higher privileges on a vulnerable device.
Two vulnerabilities (CVE-2021-0157 and CVE-2021-0158) were found by SentinelOne and both scored 8.2 points on the CVSS vulnerability rating scale. The first problem concerns the incorrect control flow control in the BIOS, which manifests itself on some Intel processors, and the second bug is related to the insufficient validation of the input data in the same component. Both vulnerabilities can lead to privilege escalation on a machine if an attacker has physical access to it.
According to Intel, the vulnerabilities concern the following products:
- Intel® Xeon® E processor family;
- Intel® Xeon® processor E3 v6 family;
- Intel® Xeon® W processor family;
- 3rd Generation Intel® Xeon® Scalable Processors;
- 11th Generation Intel® Core ™ processors;
- 10th generation Intel® Core ™ processors;
- 7th generation Intel® Core ™ processors;
- Intel® Core ™ X-series processors;
- Intel® Celeron® Processor N Series;
- Intel® Pentium® Silver processors.
Intel experts have not yet shared the technical details of these problems, they only recommended that users fix the vulnerabilities by installing available BIOS updates. Unfortunately, this can be a problem as motherboard manufacturers do not release BIOS updates as often and generally do not support their products for very long. For example, 7th Gen Intel Core processors were released five years ago, and it is doubtful that motherboard manufacturers are still releasing security updates for such older (by their standards) products.
Another vulnerability patched by Intel this week, identified as CVE-2021-0146, is also related to privilege escalation and requires physical access to the device (7.2 on the CVSS scale). This bug was discovered by Positive Technologies specialists Mark Ermolov and Dmitry Sklyarov, as well as by an independent researcher Maxim Goryachy.
The researchers say the problem concerns the Pentium, Celeron and Atom processors of the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms, which are used in both mobile computers and embedded systems. The threat also affects a wide range of ultra-mobile netbooks and many IoT devices based on Intel processors – from household appliances and smart home systems to cars and medical equipment.
Thus, according to Mordor Intelligence, Intel ranks fourth in the market of chips for the Internet of Things, and its IoT processors of the Intel Atom E3900 series, which also contain the CVE-2021-0146 vulnerability, are used by automakers in more than 30 models of cars, including, according to unofficial data, by Tesla in the Tesla Model 3.
Mark Ermolov
Technically, the vulnerability is due to overprivileged debugging functionality that is not properly protected. To avoid such problems in the future and to prevent the possibility of bypassing the built-in protection, manufacturers should be more careful in securing the debug mechanisms.
To resolve the reported issue, users need to re-install the UEFI BIOS updates published by the manufacturers.
Let me remind you that we also wrote that some Intel processors are vulnerable to the new version of the Zombieload problem.
