Intel Released Security Patches to Address a Critical Vulnerability in AMT and ISM

Jennifer Thomas
Posted by Jennifer Thomas September 10, 2020
Intel

Intel released security patches this week in Active Management Technology (AMT) and Intel Standard Manageability (ISM) to fix a critical vulnerability.

The bug, which Intel calls unacceptable buffer constraints in network subsystems, may be misused by unauthorised users to escalate privileges in provisioned AMT and ISM versions before 11.8.79, 11.12.79, 11.22.79, 12.0.68, and 14.0.39 via network access.

Intel reveals that an authenticated user can exploit the vulnerability on unprovided systems to allow for privilege escalation via local access.

Tracked as CVE-2020-8758, the security flaw features a 9.8 CVSS score on supplied systems, and a 7.8 CVSS score on unprovided systems.

Intel also states that AMT 3.x through 10.x firmware versions are no longer supported, and that they will not receive security updates to fix the problem.

“Intel recommends that users of Intel AMT and Intel ISM upgrade to the device manufacturer’s latest version that fixes these issues,” the chip maker said.

The company also announced the availability of patches in the BIOS firmware for 8th , 9th and 10th generation Intel Core processors for a possible security flaw, which could lead to privilege escalation, denial of service and/or leakage of information given the intruder has physical access to an affected device.

Tracked as CVE-2020-0570, the bug carries a 7.6 CVSS grade. The advisory also tackles a medium-severity disclosure details vulnerability in BIOS firmware for 8th Gen Intel Core processors and Intel Pentium Silver chips (CVE-2020-0571).

Security patches for three other medium-risk bugs were published in the BIOS firmware for 8th , 9th, and 10th Gen Core and Celeron 4000/5000 series processors, which could lead to elevation of privilege or denial of service (CVE-2020-8672 and CVE-2019-14557), or disclosure of information (CVE-2020-8671).

The two low-severity flaws listed in the same advisory (CVE-2019-14558 and CVE-2019-14556) could lead to denial of service.

Intel also revealed, prior to version 20.7.26.7, a patch for a medium-severity bug (CVE-2020-12302) in Intel Driver & Support Assistant which could lead to privilege escalation through local access. Intel Driver & Service Assistant version 20.7.26.7 or later addresses the vulnerability.

Jennifer Thomas
Jennifer Thomas
View More Posts
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.