A critical privilege-escalation flaw affects quite a few common Intel motherboards, server systems and compute modules.
Intel is warning of a uncommon critical-severity vulnerability influencing numerous of its motherboards, server methods and compute modules. The flaw could enable an unauthenticated, remote attacker to achieve escalated privileges.
The lately patched flaw (CVE-2020-8708) ranks 9.6 out of 10 on the CVSS scale, producing it critical. Dmytro Oleksiuk, who uncovered the flaw, advised Threatpost that it exists in the firmware of Emulex Pilot 3. This baseboard-administration controller is a assistance processor that monitors the actual physical condition of a computer, network server or other components devices by way of specialised sensors.
Emulex Pilot 3 is applied by a variety of motherboards, which combination all the server parts into 1 system. Also impacted are a variety of server functioning systems, and some Intel compute modules, which are electronic circuits, packaged onto a circuit board, that offer numerous features.
The critical flaw stems from poor-authentication mechanisms in these Intel products prior to edition 1.59.
In bypassing authentication, an attacker would be capable to accessibility to the KVM console of the server. The KVM console can obtain the program consoles of network devices to check and command their functionality. The KVM console is like a distant desktop carried out in the baseboard management controller – it presents an entry position to the exhibit, keyboard and mouse of the remote server, Oleksiuk informed Threatpost.
The flaw is harmful as it’s remotely exploitable, and attackers don’t need to have to be authenticated to exploit it – while they need to be found in the same network section as the susceptible server, Oleksiuk told Threatpost.
“The exploit is very basic and pretty trustworthy for the reason that it is a style flaw,” Oleksiuk explained to Threatpost.
Further than this critical flaw, Intel also preset bugs tied to 22 critical-, high-, medium- and low-severity CVEs impacting its server board, methods and compute modules. Other significant-severity flaws involve a heap-primarily based overflow (CVE-2020-8730) that’s exploitable as an authenticated user incorrect execution-assigned permissions in the file system (CVE-2020-8731) and a buffer overflow in daemon (CVE-2020-8707) — all a few of which empower escalated privileges.
Oleksiuk was credited with reporting CVE-2020-8708, as well as CVE-2020-8706, CVE-2020-8707. All other CVEs had been located internally by Intel.
Impacted server devices include things like: The R1000WT and R2000WT households, R1000SP, LSVRP and LR1304SP families and R1000WF and R2000WF households.
Impacted motherboards consist of: The S2600WT relatives, S2600CW household, S2600KP household, S2600TP household, S1200SP loved ones, S2600WF family, S2600ST loved ones and S2600BP spouse and children.
Last but not least, impacted compute modules contain: The HNS2600KP family members, HNS2600TP spouse and children and HNS2600BP relatives. Far more information pertaining to patches is readily available in Intel’s security advisory.
Intel also issued an array of other security advisories addressing substantial-severity flaws throughout its item traces, such as ones that influence Intel Graphics Motorists, Intel’s RAID web console 3 for Windows, Intel Server Board M10JNP2SB and Intel NUCs.
Complimentary Threatpost Webinar: Want to find out more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings prime cloud-security gurus from Microsoft and Fortanix together to take a look at how Confidential Computing is a recreation changer for securing dynamic cloud details and avoiding IP exposure. Be a part of us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software program architect, Microsoft and Dr Richard Searle, security architect, Fortanix – each with the Private Computing Consortium. Register Now.