Intel NUC BIOS vulnerability CVE-2018-12176

There is a vulnerability (CVE-2018-12176) in the BIOS of various Intel NUCs, which can be used to manipulate the devices. Intel has published a Security Advisory.


Advertising

An improper input validation in the firmware for Intel NUC kits (CVE-2018-12176) allows attackers to patch the BIOS/UEFI with unsigned updates and place arbitrary code. Embdi security researchers have developed a proof of concept to manipulate the BIOS/UEFI on various Intel NUCs (details are described here). The following screenshot shows a BIOS/UEFI message on the monitor manipulated by Embedi as part of a proof of concept.

Manipulierte BIOS-Meldung
(Source: Embedi)

Embedi security researchers write that you need to have access to the Intel NUC and administrative privileges for an attack. This restricts the possibility of abuse (no hacking via the Internet). But it opens up new approaches for manipulating hardware. If the attacker succeeds in gaining direct access to the devices, he could place a Trojan in the BIOS/UEFI which would also survive a new installation of the operating system.

Intel now warns in the Security Advisory INTEL-SA-00176 of the vulnerability in the following NUC systems:

  • Intel® NUC Kit NUC7CJYH
  • Intel® NUC Kit NUC8i7HNK
  • Intel® Compute Card CD1M3128MK
  • Intel® Compute Card CD1IV128MK
  • Intel® Compute Card CD1P64GK
  • Intel® NUC Kit NUC7i7DNKE
  • Intel® NUC Kit NUC7i5DNKE
  • Intel® NUC Kit NUC7i3DNHE
  • Intel® NUC Kit NUC7i7BNH
  • Intel® NUC Kit NUC6CAYS
  • Intel® NUC Kit DE3815TYBE
  • Intel® NUC Kit NUC6i5SYH
  • Intel® NUC Kit NUC6i7KYK
  • Intel® NUC Kit NUC5PGYH
  • Intel® NUC Kit NUC5CPYH
  • Intel® NUC Kit NUC5i7RYH
  • Intel® NUC Kit NUC5i5MYHE
  • Intel® NUC Kit NUC5i3MYHE
  • Intel® NUC Kit DE3815TYBE
  • Intel® NUC Kit DN2820FYKH
  • Intel® NUC Kit D54250WYB
  • Intel® NUC Kit D53427RKE
  • Intel® NUC Kit D33217GKE
  • Intel® Compute Stick STK2mv64CC
  • Intel® Compute Stick STK2m3W64CC
  • Intel® Compute Stick STK1AW32SC
  • Intel® Compute Stick STCK1A32WFC

The company has rated the vulnerability as high (8.2 out of 10 possible points) and has released firmware updates for the affected NUCs and Intel Compute Sticks to close the vulnerability. The update and details can be found in the Security Advisory INTEL-SA-00176.


Advertising

Similar articles:
Beware of BIOS Update 0373 for Intel NUCs
How to install Windows 7 on Intel NUC with USB 3.0?
Adobe and Intel Security Update Review October 9, 2018


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *