Intel releases patches for code execution vulnerabilities
The chip maker released several security advisories to address the risks. One group of patched vulnerabilities affect its Converged Security and Management Engine (CSME), Server Platform Services, Trusted Execution Engine and Active Management Technology (AMT).
These are technologies that run at a very low level in the hardware stack, often underneath anti-malware software that might otherwise pick up suspicious activity. The bugs allow users to potentially escalate privileges, disclose information or cause a denial of service, Intel said.
There are 12 vulnerabilities in this group, including five marked with high severity.
Of these, only CVE-2018-12187 can be executed remotely via a network. This is a high-severity denial of service bug relying on insufficient input validation in Intel’s Active Management Technology.
Two of the other high-severity bugs rely on local access, which is tied to read/write/execute capabilities. In practice, this means that the attacker has to be logged into the machine, or that the user must be persuaded to interact with a malicious file.
These bugs are CVE-2018-12190, which lets an attacker potentially execute arbitrary code via insufficient input validation in CSME. CVE-2018-12200 could allow privilege escalation via insufficient access control in the Intel Capability Licensing Service.
The other two high-severity bugs require physical access to the device. CVE-2018-12208 could allow an unauthenticated user to potentially execute arbitrary code via CSME, while CVE-2018-12185 carries a similar danger, via AMT.
You can read more about the meanings of the attack vectors used in CVE vulnerability listings.