Buffer overflow in Intel Hardware solutions

#VU23549 Buffer overflow in Intel Hardware solutions

Published: 2019-12-12

Vulnerability identifier: #VU23549

Vulnerability risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14608

CWE-ID: CWE-119

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Intel NUC 8 Mainstream Game Kit
Hardware solutions / Firmware
Intel NUC 8 Mainstream Game Mini Computer
Hardware solutions / Firmware
Intel NUC Kit NUC8i7BEK
Hardware solutions / Firmware
Intel Compute Card CD1P64GK
Hardware solutions / Firmware
Intel NUC 8 Home - NUC8i3CYSM
Hardware solutions / Firmware
Intel NUC Kit NUC8i7HNK
Hardware solutions / Firmware
Intel NUC-Kit NUC7i7DNKE
Hardware solutions / Firmware
Intel NUC-Kit NUC7i5DNKE
Hardware solutions / Firmware
Intel NUC-Kit NUC7i3DNHE
Hardware solutions / Firmware
Intel Compute Stick STK2mv64CC
Hardware solutions / Firmware
Intel Compute Stick STK2m3W64CC
Hardware solutions / Firmware
Intel NUC Kit NUC6i7KYK
Hardware solutions / Firmware
Intel NUC Kit NUC6i5SYH
Hardware solutions / Firmware
Intel NUC Kit NUC7CJYH
Hardware solutions / Firmware
Intel Compute Card CD1M3128MK
Hardware solutions / Firmware
Intel Compute Card CD1IV128MK
Hardware solutions / Firmware
Intel NUC Kit NUC6CAYS
Hardware solutions / Firmware
Intel NUC Board DE3815TYBE
Hardware solutions / Firmware
Intel NUC Board D34010WYB
Hardware solutions / Firmware

Vendor: Intel

Description

The vulnerability allows a local user to escalate privileges on the target system.

The vulnerability exists due to a boundary error in firmware for Intel NUC. A local user can trigger memory corruption and enable escalation of privilege on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Intel NUC 8 Mainstream Game Kit: All versions

Intel NUC 8 Mainstream Game Mini Computer: All versions

Intel NUC Kit NUC8i7BEK: All versions

Intel Compute Card CD1P64GK: All versions

Intel NUC 8 Home - NUC8i3CYSM: All versions

Intel NUC Kit NUC8i7HNK: All versions

Intel NUC-Kit NUC7i7DNKE: All versions

Intel NUC-Kit NUC7i5DNKE: All versions

Intel NUC-Kit NUC7i3DNHE: All versions

Intel Compute Stick STK2mv64CC: All versions

Intel Compute Stick STK2m3W64CC: All versions

Intel NUC Kit NUC6i7KYK: All versions

Intel NUC Kit NUC6i5SYH: All versions

Intel NUC Kit NUC7CJYH: All versions

Intel Compute Card CD1M3128MK: All versions

Intel Compute Card CD1IV128MK: All versions

Intel NUC Kit NUC6CAYS: All versions

Intel NUC Board DE3815TYBE: All versions

Intel NUC Board D34010WYB: All versions

External links
http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00323.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Intel NUC Firmware