Intel has issued a security advisory addressing several critical vulnerabilities in the UEFI firmware of certain processors. These flaws, if exploited, could allow privileged users to escalate privileges, launch denial-of-service (DoS) attacks, or even leak sensitive information.
Affected users will need to wait for system manufacturers to distribute the necessary firmware updates, which may take time, depending on the vendor. Lenovo, however, has already rolled out fixes for some of its impacted systems.
Vulnerability details
The security advisory lists multiple vulnerabilities affecting a wide range of Intel processors, many of which are rated as high-severity. The most concerning flaws include:
- CVE-2024-23599 (CVSS 4.0 score of 8.3): This race condition in Intel's Seamless Firmware Updates could enable a local privileged user to initiate a DoS attack.
- CVE-2023-43626 (CVSS 4.0 rating of 8.7): Improper access control could allow a local user with privileges to escalate their privileges.
- CVE-2024-21871 (CVSS 4.0 score of 8.7): This vulnerability arises from improper input validation, allowing a privileged user to escalate privileges.
- CVE-2023-42772 (CVSS 4.0 score of 8.2): An untrusted pointer dereference issue could enable local privilege escalation.
Intel emphasized the significant risk these vulnerabilities pose to systems in its security bulletin, with impacts ranging from loss of sensitive information to total control over a compromised machine.
Affected Intel processors
A wide range of Intel processors are vulnerable, including but not limited to:
- Intel Xeon Processor D and E Families
- 10th, 11th, and 12th Generation Intel Core Processor Families
- Intel Atom Processor Series
- Intel Pentium and Celeron Processors
Specific models such as the Intel Core i7-11700 and Intel Xeon Scalable Processors are also among those impacted. Server-grade processors such as 3rd Generation Intel Xeon Scalable Processors and Intel Xeon Processor E7 v3 Family are also vulnerable, raising concerns for data centers and enterprise users.
UEFI updates available
Intel announced the availability of fixes, but users of affected Intel processors must wait for their computer manufacturers to release UEFI firmware updates that incorporate them. While this could take some time for certain models and vendors, Lenovo has been proactive in releasing patches for a wide range of systems. The Lenovo bulletin addresses multiple CVEs, including the four high-severity flaws listed above.
Intel advises users to monitor their system manufacturer's website for available updates and apply them promptly to mitigate these risks. Lenovo users can download updates from Lenovo's support website, which provides specific guidance on product models and firmware fixes.
$20 Domain Purchase Exposed .MOBI’s Critical Security Flaw
Leave a Reply