Intel ID: INTEL-SA-00264
Advisory Category: Firmware
Impact of vulnerability: Escalation of Privilege, Denial of Service, Information Disclosure
Severity rating: HIGH
Original release: 06/11/2019
Last revised: 06/11/2019

Summary:

Potential security vulnerabilities in system firmware for Intel® NUC may allow escalation of privilege, denial of service and/or information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities.

Vulnerability Details:

CVEID: CVE-2019-11123
Description: Insufficient session validation in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-11124
Description: Out of bound read/write in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-11125
Description: Insufficient input validation in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-11126
Description: Pointer corruption in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-11127
Description: Buffer overflow in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-11128
Description: Insufficient input validation in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-11129
Description: Out of bound read/write in system firmware for Intel(R) NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Products:

Affected Product Updated Firmware
Intel® NUC Kit NUC8i3BEx
Intel® NUC Kit NUC8i5BEx
Intel® NUC Kit NUC8i7BEx
BIOS version 0071 or later
Intel® Compute Card CD1P64GK Intel® Compute Card CD1C64GK BIOS version 0050 or later
Intel® NUC Kit NUC8i3CYx BIOS version 0040 or later
Intel® NUC Kit NUC8i7HNK
Intel® NUC Kit NUC8i7HVK
BIOS version 0054 or later
Intel® NUC Kit NUC7i7DNx BIOS version 0063 or later
Intel® NUC Kit NUC7i5DNx BIOS version 0063 or later
Intel® NUC Kit NUC7i3DNx BIOS version 0063 or later
Intel® Compute Stick STK2MV64CC BIOS version 0060 or later
Intel® Compute Stick STK2M3W64CC
Intel® Compute Stick STK2M364CC
BIOS version 0060 or later
Intel® NUC Kit NUC6i7KYk BIOS version 0062 or later
Intel® NUC Kit NUC7PJY
Intel® NUC Kit NUC7CJY
BIOS version 0049 or later
Intel® NUC KitNUC6CAYx BIOS version 0060 or later
Intel® NUC Kit DE3815TYB
(BIOS ID CODE TYBYT20H.86A BIOS ID code)
BIOS version 0020 or later
Intel® NUC Kit DE3815TYB
(BIOS ID CODE TYBYT10H.86A BIOS ID code)
BIOS version 0065 or later
Intel® NUC Kit NUC5CPYH
Intel® NUC Kit NUC5PPYH
Intel® NUC Kit NUC5PGYH
BIOS version 0076 or later
Intel® NUC Kit NUC5i7RYx
Intel® NUC Kit NUC5i3RYx
Intel® NUC Kit NUC5i5RYx
BIOS version 0379 or later
Intel® NUC Kit NUC5i5MYx BIOS version 0051 or later
Intel® NUC Kit NUC5i3MYx BIOS version 0054 or later
Intel® NUC Kit DN2820FYKH BIOS version 0067 or later
Intel® Compute Stick STCK1A32WFC
Intel® Compute Stick STCK1A8LFC
BIOS version 0039 or later
Intel® Compute Card CD1M3128MK BIOS version 0056 or later
Intel® Compute Card CD1IV128MK BIOS version 0036 or later
Intel® NUC Kit NUC7i3BNx
Intel® NUC Kit NUC7i5BNx
Intel® NUC Kit NUC7i7BNx
BIOS version 0079 or later
Intel® NUC Kit NUC6i3SYx
Intel® NUC Kit NUC6i5SYx
BIOS version 0070 or later
Intel® NUC Kit D54250WYx
Intel® NUC Kit D34010WYx
BIOS version 0051 or later

Recommendations:

Intel recommends that users update to the latest firmware version (see provided table).

Acknowledgements:

Intel would like to thank Alexander Ermolov (CVE-2019-11123, CVE-2019-11124, CVE-2019-11125, CVE-2019-11129), Ruslan Zakirov (CVE-2019-11126, CVE-2019-11127), Malyutin Maksim (CVE-2019-11128) for reporting these issues.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

Revision History

Revision Date Description
1.0 06/11/2019 Initial Release

Source: https://www.intel.com/content/www/us...-sa-00264.html