[German]Intel offers the free Intel Extreme Tuning Utility (XTU) for tuning its CPUs. However, the tool is as night mare in terms of security and you should keep your hands off it. Here's a quick look under the hood to see what's broken.
Advertising
What is the Intel Extreme Tuning Utility (XTU)?
The Intel® Extreme Tuning Utility (Intel® XTU) is available here for free download for Windows 7 and Windows 10 (64 Bit). The almost 30 MByte setup files set up an English version of the tool on the system. The manufacturer writes to the tool:
Intel XTU is a simple Windows-based performance tuning software for beginners and experienced enthusiasts to overclock, monitor and stress a system. The software interface offers a number of robust features common to most enthusiast platforms, as well as special new features for new Intel® application processors and Intel® motherboards..
On this Intel site and here you will find some informationen about XTU. Another article at notebookcheck.net covers this topic. The tool sounds intersting.
Security risk Intel Extreme Tuning Utility (XTU)?
If you think you have to install and use this tool on your system, you should first read the following text. On seclists.org I came across this entry from the end of September 2018. Stefan Kanthak took the tool XTU-Setup.exe, version 6.4.1.23 (released on May 18, 2018) and documented some unpleasant things. .
Vulnerability #1
The XTU-Setup.exe executable installation program contains at least two obsolete and unsupported Microsoft runtime components. One runtime component has known vulnerabilities that have been fixed for a long time.
- Component #1: 2010 Microsoft SQL Server Compact 3.5 SP2 ENU; this component reached its end-of-life on April 10, 2018 (not even found on the Microsoft pages).
- Component #2: Microsoft Visual C++ 2005 Runtime 8.0.50727.762; the Visual C++ 2005 runtime environment has also reached the End of Life since April 12, 2016 (expired only two years ago).
The tool will be delivered with two Microsoft products that have dropped out of support during installation. The last Visual C++ 2005 Runtime is version 8.0.50727.4940, which was released on April 12, 2011 and updated on June 14, 2011 (seven years ago).
Advertising
And the installer XTU-Setup.exe tries, to install the unsecure Microsoft Visual C++ 2005 Runtime 8.0.50727.762 (out of support since long time), even if a newer version of the runtime environment is available.
Vulnerability #2
The package vcredist_x86.exe included in XTU-Setup.exe was created with the Wix Toolset 3.6. However, everything created with this toolset is insecure because the toolset has security holes (see here and here).
Code execution with privilege escalation vulnerability
The vulnerabilities mentioned above allow an attacker to execute arbitrary code under the context of the user account and to extend privileges through vulnerabilities. Kanthak describes a proof-of-concept on seclists.org.
In addition, the installer enables a Denial of Service attack (without requiring administrator privileges). The setup remains stuck at about 75% during installation.
Communication with Intel and a Security Warning
Kanthak first reported the vulnerability to Intel on September 4, 2017 without receiving any response. On March 22, 2018, a new vulnerability report was sent to Intel. Intel then updated the installer on May 18, 2018 without further notice. Of course, this installer version also had security vulnerabilities. Therefore, a new report was sent to Intel on June 5, 2018 with vulnerability notifications.
Now it's getting scary: On September 11, 2018, Intel releases its own Security Advisory, warning about Escalation of Privilege and Denial of Service vulnerabilities. The vulnerabilities (CVE-2018-12150, CVE-2018-12149, CVE-2018-12151) are rated High with the security impact.
According to the Intel document, this affects the Intel® Extreme Tuning Utility before version 6.4.1.21. Intel recommends updating to version 6.4.1.23 or higher. Kanthak has therefore published its own advisory on seclists.org. Because of the issues mentioned above, this advisory warns against the Intel recommended version 6.4.1.23. At this point I can only give one advice: Keep your hands off these Intel tools, because these vulnerabilities have been running through these products for years.
Advertising
