IPAS: Security Advisories for April 2020

Hello,

Today, in addition to the 6 security advisories we are releasing, we want to call your attention to a new whitepaper we have just published addressing CVE-2019-0090, a vulnerability in the Intel® Converged Security Management Engine (CSME) that we first disclosed in May of last year.

You can read the whitepaper HERE.

CSME is an important part of overall system security and is an area where we continuously focus internal security research efforts to find and address issues proactively. For example, of the various CSME related vulnerabilities addressed in 2019, 87% were found by Intel, and the rest were submitted through our Bug Bounty program, meaning that all those vulnerabilities were found or disclosed as a result of Intel’s investment in security research.

CVE-2019-0090 was released as part of INTEL-SA-00213 in May 2019, and additional affected products were added to this CVE in February 2020. Following the latest update, external researchers posted information that generated questions from customers. The release of this whitepaper is intended to provide clarity around this issue and our mitigations. We are not aware of any real-world exploits of this issue.

Since the release of the security advisory, Intel’s guidance has remained the same:

  • Applying latest Intel® CSME firmware and BIOS updates on affected systems with end of manufacturing set by the system manufacturer should mitigate local attacks. Physical attack might still be possible if Intel CSME Hardware based Anti-Rollback (ARB) feature is not supported by the system manufacturer.
  • Physical ARB feature mitigates this kind of attack on newer Intel systems. It can be applied as part of a BIOS update for CSME 12 based platforms and newer, if such update is supported by system manufacturers.
  • Intel recommends that end users adopt best security practices by installing updates as soon as they become available and being continually vigilant to detect and prevent intrusions and exploitations.
  • For the latest update, you may refer to the security advisories published on https://www.intel.com/security. Intel® CSME latest firmware update may be obtained through your system manufacturer.

For a list of system manufacturer support sites, please visit: https://www.intel.com/content/www/us/en/support/topics/oems.html.

As mentioned, today we also released 6 security advisories listed in the table below. Please visit www.intel.com/security for details of these and previous advisories we have released.

Security Advisory ID Title Highest CVSS Score
INTEL-SA-00363 Intel® NUC Firmware Advisory 7.8
INTEL-SA-00351 Intel® Modular Server Compute Module Advisory 7.1
INTEL-SA-00327 Intel® Data Migration Software Advisory 6.7
INTEL-SA-00338 Intel® PROSet/Wireless® WiFi Software Advisory 6.7
INTEL-SA-00359 Intel® Binary Configuration Tool for Windows* Advisory 6.7
INTEL-SA-00344 Intel® Driver and Support Assistant Advisory 5.9

 

That’s all for April. Our next security advisory release will be Tuesday May 12, 2020.

Thanks,

Jerry Bryant
Director of Communications
Intel Product Assurance and Security