What The NUC? Intel Patches Serious Security Flaws In Mini PCs, Software Utilities
Not long after Microsoft issued a bevy of security updates for its products during Patch Tuesday, Intel is holding its own "patch party" for its hardware and software products. Products affected include Intel's lineup of NUC mini PCs and Compute Sticks along with a few of its software utilities.
On the NUC front, Intel issued an advisory describing a vulnerability (CVE-2019-11140) in the device firmware that can lead to an escalation of privileges or denial of service attack. Intel traced the exploit back to "insufficient session validation" that could allow such attacks to take place. The security concern has been given a CVSS Base Score of 7.5, which is considered high severity. Affected Intel systems are listed below:
- Intel NUC Kit NUC7i7DNx
- Intel NUC Kit NUC7i5DNx
- Intel NUC Kit NUC7i3DNx
- Intel Compute Stick STK2MV64CC
- Intel Compute Card CD1IV128MK
You can find firmware updates for these systems and more on CVE-2019-11140 by clicking the following link.
A flaw (CVE-2019-11163) has also been found in the seemingly harmless Intel Processor Identification Utility (Windows Version). This tool allows you to see detailed information and specs on your installed Intel processor, however, it too has been flagged for privilege elation and denial of service exploits. CVE-2019-11163 has a CVSS Base Score of 8.2 (high severity), and users can mitigate the security intrusion by upgrading to Intel Processor Identification Utility version 6.1.0731 or later, which you can download here.
Intel has also issued updates for its Computing Improvement Program, due to improper access control in the SEMA driver. This is another high severity exploit with a CVSS Base Core of 8.2. Intel has addressed this security breach with its version 2.4.0.04733 update.
Finally, a vulnerability was discovered in the Intel Driver & Support Assistant (CVE-2019-11145), which could result in an escalation of privileges. Unlike the other exploits, the is a medium risk with a CVSS Base Score of 6.7. Intel has pushed out version 126.96.36.199 of its utility to eradicate the threat, which you can download here.