This week, Intel released fixes for dozens of vulnerabilities in its product portfolio, including critical and severe issues.
Let me remind you that we also wrote that Serious new vulnerabilities threaten Intel processors, and also that New Hertzbleed Side-Channel Attack Affects Intel and AMD Processors.Also the media noted that Linus Torvalds criticized Intel for occasional using of ECC memory.
One of the most serious bugs was CVE-2021-39296 (10 points out of 10 possible on the CVSS scale), which affects the integrated BMC (Baseboard Management Controller) and OpenBMC firmware on several platforms of the company at once.
As can be seen from the CVE ID, this issue was discovered back in 2021 in the netipmid interface (IPMI lan+) and allowed an attacker to gain root access to the BMC, bypassing authentication using IPMI messages.
Four more bugs have also been fixed in the BMC and OpenBMC firmware, including a serious out-of-bounds read issue that could lead to a denial of service.
Intel has addressed these issues by introducing Integrated BMC firmware 2.86, 2.09, and 2.78, as well as OpenBMC firmware 0.72, wht-1.01-61, and egs-0.91-179.
In addition, the Intel Software Guard Extensions (SGX) enclaves were once again in the spotlight, as several vulnerabilities were associated with this technology at once. The problems cover a wide range of Intel products, including Xeon processors, network adapters, and various software.
For example, two vulnerabilities in SGX were related to a potential privilege escalation that could lead to information disclosure. One of them, CVE-2022-38090, is of medium severity and affects a number of Intel processors, including 3rd generation Xeon Scalable server processors, which have only recently been superseded by 4th generation Sapphire Rapids products.
Another vulnerability, CVE-2022-33196, is of high severity and also affects 3rd generation Xeon and Xeon D processors. Intel has said it will release BIOS and microcode updates for the affected processors.
Another issue affecting SGX turned out to be related to the SDK. According to Intel engineers, this bug could lead to information disclosure through local access due to incorrect condition checking. The company said it will release updates to mitigate this issue.
Another highly rated vulnerability affects 3rd generation server Xeon Scalables and some Atom processors. CVE-2022-21216 allows a privileged attacker to perform privilege escalation through access to a neighboring network due to insufficient access control. For this problem, they also promise to provide a corresponding firmware update.