Intel has acknowledged two high severity flaws in a range of processors used in laptops, cars and Internet of Things (IoT) devices that could enable hackers with physical access to gain escalated privileges to those systems.
In a security alert, Intel said both bugs concern BIOS firmware issues. CVD-2021-0157 involves “insufficient control flow management" and CVE-2021-0158 encompasses “improper input validation.” Both flaws carry a Common Vulnerability Scoring System (CVSS) base score of 8.2.
While Intel didn’t detail technical information on the vulnerabilities, it did recommend that users of the affected processors should install the UEFI BIOS updates provided by the system manufacturer.
Intel BIOS Firmware Issues Explained
The issues affect the Pentium, Celeron and Atom processors of the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms used in mobile devices, embedded systems and Internet of Things (IoT) devices, such as smart home appliances and medical equipment. The flaw also affects cars that use the Intel Atom E3900 chip, including the Tesla Model 3.
The affected processors include:
- Xeon E Family
- Xeon E3 v6 Family
- Xeon W Family
- 3rd Generation Xeon scalable
- 11th Generation Core
- 10th Generation Core
- 7th Generation Core
- Celeron N Series
- Pentium silver Series
In its security alert, Intel credited SentinelOne for reporting the bugs. SentinelOne works closely with MSPs and MSSPs on managed endpoint security services.
Intel Vulnerabilities: Additional Insights
Researchers at Positive Technologies also discovered the flaws. According to Positive, cyber attackers could exploit the bugs to:
- Extract the encryption key and gain access to information on a laptop.
- Conduct targeted attacks across the supply chain.
The vulnerability is a debugging functionality with excessive privileges that is not properly protected, said Mark Ermolov, a Positive researcher who helped uncover the bugs. “One example of a real threat is lost or stolen laptops that contain confidential information in encrypted form,” he said. “Using this vulnerability, an attacker can extract the encryption key and gain access to information within the laptop.” The bug can also be exploited in targeted attacks across the supply chain, said Ermolov.