Intel issues fixes for critical flaws in drivers and firmware

Intel has released security updates for a large number of hardware products and fixed software drivers that attackers could abuse to gain full control over target Windows systems.

Firmware security vendor Eclypsium discovered the vulnerable drivers in August this year.

Eclypsium conducted a larger investigation into how vulnerable drivers from 17 vendors could be exploited to take control over Windows-based systems, but held back from naming Intel at the time to give the company a chance to release fixes.

The drivers in question are the 32- and 64-bit versions of Intel's PMxDrv, which have been used in the company's detection tools to discover other vulnerabilities since 1999.

They are also shipped with the Flash Programming Tool provided to original equipment manufacturers and their customers, for updating Intel-based basic input/output system (BIOS) firmware that is loaded ahead of the Windows operating system.

Eclypsium noted that the PMx driver was "incredibly capable", with read and write access to large parts of a computer's hardware, including physical memory, processor registers, and the ability to gain input/output and peripheral component interconnect bus access.

"This level of access can provide an attacker with near-omnipotent control over a victim device," Eclypsium wrote.

Since PMx and other drivers are allowed to modify the Windows kernel or device firmware, they bypass traditional security software.

Attackers and malware operating in user space can abuse the drivers' capabilities and reach deep into the kernel running at the isolated Ring 0 level to steal data, cause damage and create a persistent foothold on the computer system.

While Linux and Apple macOS avoid this threat with their Kernel Lockdown and System Integrity Protection, Microsoft Windows' Security Servicing Criteria treats processes running in Ring 3 user space with Administrator privileges the same as the operating system kernel.

That provides Administrators with full control over devices, but means compromised processes with the same high privileges create a "gaping security hole," Eclypsium said.

Researchers have already provided a proof of concept of how the WinRing0 driver shipped with the preinstalled HP TouchPoint Analytics software could be used for privilege escalation attacks and to achieve persistence by loading arbitrary unsigned dynamic link libraries into services running at the SYSTEM level.

Intel also released fixed firmware for the Baseboard Management Controller (BMC), a separate processor used for remote monitoring of servers and computers via separate channels.

Updating Intel's BMC firmware to version 2.18 or later fixes 14 vulnerabilties in 85 server and compute node products.

Several vulnerabilities are rated as high, allowing denial of service attacks, information disclosure and privilege escalation.

One, CVE-2019-11171 has a common vulnerabilties scoring system (CVSS) rating of 9.0 and is considered critical.

Intel said the flaw can be exploited to cause heap corruption in the BMC firmware, to allow information disclosure, privilege escalation and denial of service attacks by unauthenticated users over a network.

Updates are also available for other products such as Intel's Software Guard Extension (SGX) secure enclaves, the company's PROSet Wi-Fi software and the Nuvoton driver for the New Unit of Computing (NUC) device running Windows 8.