Intel has released 2 patches to fix vulnerabilities in his NUC PCs – but one flaw hasn't been fixes. And the Active System Console tool has a security issue.
Advertising
Intel NUC advisory
Intel has released a security advisory INTEL-SA-00296 for hin NUC systems on October 8, 2019. There are potential security vulnerabilities in system firmware for Intel® NUC may allow Escalation of Privilege, Denial of Service and Information Disclosure vulnerabilities – which are classified as high.
- CVEID: CVE-2019-14569: Description: Pointer corruption in system firmware for Intel(R) NUC may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access. CVSS Base Score: 7.5 High
- CVEID: CVE-2019-14570: Description: Memory corruption in system firmware for Intel(R) NUC may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access. CVSS Base Score: 7.5 High
Affected Products | Updated Firmware |
Intel® NUC 8 Mainstream Game Kit | INWHL357 |
Intel® NUC 8 Mainstream Game Mini Computer | INWHL357 |
Intel® NUC Board DE3815TYBE (H26998-500 & later) | TY0022 |
Intel® NUC Kit DE3815TYKHE (H27002-500 & later) | TY0022 |
Intel® NUC Board DE3815TYBE | TY0067 |
Intel® NUC Kit DE3815TYKHE | TY0067 |
Intel® NUC Kit DN2820FYKH |
FY0069 |
Intel recommends that users update to the latest version. There is also a 2nd advisory INTEL-SA-00286 (Intel® Smart Connect Technology for Intel® NUC Advisory):
CVEID: CVE-2019-11167: Description: Improper file permission in software installer for Intel(R) Smart Connect Technology for Intel(R) NUC may allow an authenticated user to potentially enable escalation of privilege via local access. CVSS Base Score: 6.3 Medium
There is no fix available. Intel recommends that users of Intel® Smart Connect Technology for Intel® NUC uninstall or discontinue use at their earliest convenience.
And there is another Escalation of Privilege vulnerability CVE-2019-11120 in Intel's Active System Console. Intel has released advisory INTEL-SA-00261 and quotes the vulnerability as 'medium'
CVEID: CVE-2019-11120: Description: Insufficient path checking in the installer for Intel(R) Active System Console before version 8.0 Build 24 may allow an authenticated user to potentially enable escalation of privilege via local access. CVSS Base Score: 6.7 Medium
Affected Products: Intel® Active System Console for Intel® Server Boards and Systems based on Intel® 62X Chipset before version 8.0 Build 24. Intel recommends that users of Intel® Active System Console for Intel® Server Boards and Systems based on Intel® 62X Chipset update to 8.0 Build 24 or later.
Advertising