Intel warns of critical security flaw in CSME engine, issues discontinued product notices

Intel has warned of a critical vulnerability in the CSME security engine and has urged users to apply a fix, now available, as quickly as possible. The Intel Converged Security and Management Engine (CSME) is a chipset subsystem that powers Intel's Active Management technologies.

According to a security advisory published on Tuesday, CSME is subject to a firmware vulnerability, found internally by Intel's security team, which if exploited allows local threat actors to launch escalation of privilege, denial of service, and information disclosure attacks. Tracked as CVE-2019-14598, the vulnerability has been awarded a CVSS base score of 8.2, which deems the issue critical -- the highest severity rating.

Intel has released a firmware update to mitigate the vulnerability, which impacts CSME versions before 12.0.49 (including IOT only: 12.0.56), 13.0.21, and 14.0.11.

"Intel recommends updating to CSME versions 12.0.49, 13.0.21, and 14.0.11 or later provided by the system manufacturer that addresses these issues," the tech giant says. "Intel recommends IOT customers using CSME version 12.0.55 to update to 12.0.56 or later provided by the system manufacturer that addresses these issues." Another batch of updates targets security issues in Intel's RAID Web Console 2 (RWC2) and the RAID Web Console 3 (RWC3) for Windows.

The first vulnerability, CVE-2020-0562, impacts all versions of RWC2 and has been given a base score of 6.7, classifying the bug as of medium severity. Local, authenticated users can harness the flaw to escalate their privileges; however, Intel will not be patching the problem.

Instead, Intel says the product will be discontinued and recommends that users upgrade to RWC3 -- the subject of the next vulnerability in the security advisory. The second security flaw is the same with the same potential consequences. Tracked as CVE-2020-0564, the security flaw affects RWC3 before version 7.010.009.000.

Intel's Manycore Platform Software Stack (MPSS), before version 3.8.6, has also received a fix to resolve CVE-2020-0563, a medium-severity issue with a base score of 6.7. The vulnerability can be exploited by unauthenticated users to enable escalation of privilege via local access due to improper permissions handling.

A medium-severity security issue, CVE-2020-0560, has also been flagged by Intel -- but the company will not be issuing a patch. This bug affects the Intel Renesas Electronics USB 3.0 driver and permits privilege escalation on all versions. "[Intel] recommends that users of the Intel Renesas Electronics USB 3.0 driver uninstall it or discontinue use at their earliest convenience," the tech giant says.

Intel has also resolved a low-severity vulnerability in Intel Software Guard Extensions (SGX). Tracked as CVE-2020-0561, the improper initialization problem, issued a base score of 2.5, may allow authenticated users to escalate their privileges via local access. This week, Microsoft also released its monthly batch of security fixes, and February's set resolved a total of 99 vulnerabilities, of which 11 were deemed critical. Software including Internet Explorer, the Edge browser, Microsoft Exchange Server, and Microsoft Office have been included in the update.

Adobe, too, resolved dozens of critical flaws in software including Acrobat and Reader, Flash, and Adobe Experience Manager.

In related news, earlier this month Microsoft released Intel updates for Windows 10 versions 1909 and 1903 to assist Intel in distributing firmware protected against speculative execution attacks. The chip updates attempt to fix the Zombieload attack, Fallout, an uncacheable memory issue, and load buffer security flaws.