It’s the second Tuesday in November and today we are releasing 40 security advisories. If this seems like a large number of advisories for Intel to be releasing, you’re right. However, there are two primary reasons for this. First, as I mentioned in August, we are aligning public disclosures, as much as possible, to specific timeframes to help with the industry wide resource constraints introduced by the COVID-19 pandemic. Second, the advisories for this month are part of the Intel Platform Update (IPU) we first discussed a year ago.
“Through the IPU, which we coordinate two to three times each year, we combine the delivery of security and functional updates with the goal of enhancing our ecosystem partners’ ability to validate and release updates for their products on a timely and predictable cadence. This requires a great deal of cross-industry collaboration as we work with almost 300 organizations to prepare and coordinate the release of these updates.”
In total, we are addressing 95 vulnerabilities today. 58 of those, or 61%, were found internally through our own proactive security research, including two side-channel issues (INTEL-SA-00381). Of the remaining CVEs being addressed, 28, or 29%, were reported through our bug bounty program. Overall, 90% of the issues being addressed today are the result of our ongoing investments in this space which is consistent with our 2019 Product Security Report.
At Intel, transparency is part of our security first pledge and its also a topic of the recent IDC paper titled, “Silicon as Code, the Cybersecurity Vulnerability Paradox, and the Transparency Requirements for a 21st Century Processor Vendor”. We assign CVE IDs and publish advisories for internally found vulnerabilities and the feedback from our customers clearly demonstrates that this transparency is critical to overall supply chain management, particularly, the Compute Lifecycle Assurance work Intel is spearheading across the industry.
Tune into this Dark Reading interview with Intel’s Tom Garrison for more insight on Compute Lifecycle Assurance.
For complete details on today’s advisories, please visit the Intel Product Security Center. Below are additional details for some of the issues addressed:
The Intel® Converged Security and Management Engine (CSME) is a hardware-based manageability and security controller isolated from the CPU and is the system’s root of trust for Intel components. As such, we are committed to continuous hardening of CSME and implementing various defense-in-depth mechanisms to help prevent abuse and attacks. Of the 22 issues addressed in this advisory, 17, including the CVSS 9.4 (critical) vulnerability, were found internally by Intel. The critical vulnerability, CVE-2020-8752, requires Intel AMT to be configured with IPv6 which is not the default configuration nor are we aware of any customers using this configuration.
To provide more insight to customers, today we have released a new whitepaper describing the security design and implementation of CSME 14.0 (Comet Lake) and CSME 15.0 (Tiger Lake), and its role in the platform.
INTEL-SA-0389 provides details and mitigation guidance to protect against potential information leakage from the Running Average Power Limit (RAPL) Interface, which is functionality provided by most modern processors including Intel processors. Intel worked closely with researchers, who refer to this as “PLATYPUS”, throughout the mitigation development and validation process. Please reference the security advisory and our public whitepaper for more information.
This advisory addresses two externally reported vulnerabilities affecting some Intel Wireless Bluethooth products. One of the issues, carrying a CVSS score of 9.6 (critical), may allow unauthenticated escalation of privilege via adjacent access (Local Area Network only). Intel coordinated today’s disclosure across the ecosystem to help ensure Original Equipment Manufacturers (OEMs) have updates available for end customers.
At this time, we are not aware of any of these issues being used in actual attacks. We encourage customers to check for updates with their system manufacturers or, where applicable, download directly from Intel. Please review today’s advisories for more information.
Sr. Director of Communications
Intel Product Assurance and Security