Multiple vulnerabilities in Intel NUC Firmware

1) Out-of-bounds write

EUVDB-ID: #VU23553

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14612

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the target system.

The vulnerability exists in firmware for Intel NUC due to a boundary error when processing untrusted input. A local user can trigger out-of-bounds write and enable escalation of privilege on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel NUC 8 Mainstream Game Kit: All versions

Intel NUC 8 Mainstream Game Mini Computer: All versions

Intel NUC Kit NUC8i7BEK: All versions

Intel Compute Card CD1P64GK: All versions

Intel NUC 8 Home - NUC8i3CYSM: All versions

Intel NUC Kit NUC8i7HNK: All versions

Intel NUC-Kit NUC7i7DNKE: All versions

Intel NUC-Kit NUC7i5DNKE: All versions

Intel NUC-Kit NUC7i3DNHE: All versions

Intel Compute Stick STK2mv64CC: All versions

Intel Compute Stick STK2m3W64CC: All versions

Intel NUC Kit NUC6i7KYK: All versions

Intel NUC Kit NUC6i5SYH: All versions

Intel NUC Kit NUC7CJYH: All versions

Intel Compute Card CD1M3128MK: All versions

Intel Compute Card CD1IV128MK: All versions

Intel NUC Kit NUC6CAYS: All versions

Intel NUC Board DE3815TYBE: All versions

Intel NUC Board D34010WYB: All versions

External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00323.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Integer overflow

EUVDB-ID: #VU23552

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14611

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the target system.

The vulnerability exists due to integer overflow in firmware for Intel NUC. A local user can trigger integer overflow and enable escalation of privilege on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel NUC 8 Mainstream Game Kit: All versions

Intel NUC 8 Mainstream Game Mini Computer: All versions

Intel NUC Kit NUC8i7BEK: All versions

Intel Compute Card CD1P64GK: All versions

Intel NUC 8 Home - NUC8i3CYSM: All versions

Intel NUC Kit NUC8i7HNK: All versions

Intel NUC-Kit NUC7i7DNKE: All versions

Intel NUC-Kit NUC7i5DNKE: All versions

Intel NUC-Kit NUC7i3DNHE: All versions

Intel Compute Stick STK2mv64CC: All versions

Intel Compute Stick STK2m3W64CC: All versions

Intel NUC Kit NUC6i7KYK: All versions

Intel NUC Kit NUC6i5SYH: All versions

Intel NUC Kit NUC7CJYH: All versions

Intel Compute Card CD1M3128MK: All versions

Intel Compute Card CD1IV128MK: All versions

Intel NUC Kit NUC6CAYS: All versions

Intel NUC Board DE3815TYBE: All versions

Intel NUC Board D34010WYB: All versions

External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00323.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

EUVDB-ID: #VU23551

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14609

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in firmware for Intel NUC. A local user can enable escalation of privilege on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel NUC 8 Mainstream Game Kit: All versions

Intel NUC 8 Mainstream Game Mini Computer: All versions

Intel NUC Kit NUC8i7BEK: All versions

Intel Compute Card CD1P64GK: All versions

Intel NUC 8 Home - NUC8i3CYSM: All versions

Intel NUC Kit NUC8i7HNK: All versions

Intel NUC-Kit NUC7i7DNKE: All versions

Intel NUC-Kit NUC7i5DNKE: All versions

Intel NUC-Kit NUC7i3DNHE: All versions

Intel Compute Stick STK2mv64CC: All versions

Intel Compute Stick STK2m3W64CC: All versions

Intel NUC Kit NUC6i7KYK: All versions

Intel NUC Kit NUC6i5SYH: All versions

Intel NUC Kit NUC7CJYH: All versions

Intel Compute Card CD1M3128MK: All versions

Intel Compute Card CD1IV128MK: All versions

Intel NUC Kit NUC6CAYS: All versions

Intel NUC Board DE3815TYBE: All versions

Intel NUC Board D34010WYB: All versions

External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00323.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper access control

EUVDB-ID: #VU23550

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14610

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the target system.

The vulnerability exists due to improper access restrictions in firmware for Intel NUC. A local user can bypass implemented security restrictions and enable escalation of privilege on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel NUC 8 Mainstream Game Kit: All versions

Intel NUC 8 Mainstream Game Mini Computer: All versions

Intel NUC Kit NUC8i7BEK: All versions

Intel Compute Card CD1P64GK: All versions

Intel NUC 8 Home - NUC8i3CYSM: All versions

Intel NUC Kit NUC8i7HNK: All versions

Intel NUC-Kit NUC7i7DNKE: All versions

Intel NUC-Kit NUC7i5DNKE: All versions

Intel NUC-Kit NUC7i3DNHE: All versions

Intel Compute Stick STK2mv64CC: All versions

Intel Compute Stick STK2m3W64CC: All versions

Intel NUC Kit NUC6i7KYK: All versions

Intel NUC Kit NUC6i5SYH: All versions

Intel NUC Kit NUC7CJYH: All versions

Intel Compute Card CD1M3128MK: All versions

Intel Compute Card CD1IV128MK: All versions

Intel NUC Kit NUC6CAYS: All versions

Intel NUC Board DE3815TYBE: All versions

Intel NUC Board D34010WYB: All versions

External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00323.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Buffer overflow

EUVDB-ID: #VU23549

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-14608

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the target system.

The vulnerability exists due to a boundary error in firmware for Intel NUC. A local user can trigger memory corruption and enable escalation of privilege on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel NUC 8 Mainstream Game Kit: All versions

Intel NUC 8 Mainstream Game Mini Computer: All versions

Intel NUC Kit NUC8i7BEK: All versions

Intel Compute Card CD1P64GK: All versions

Intel NUC 8 Home - NUC8i3CYSM: All versions

Intel NUC Kit NUC8i7HNK: All versions

Intel NUC-Kit NUC7i7DNKE: All versions

Intel NUC-Kit NUC7i5DNKE: All versions

Intel NUC-Kit NUC7i3DNHE: All versions

Intel Compute Stick STK2mv64CC: All versions

Intel Compute Stick STK2m3W64CC: All versions

Intel NUC Kit NUC6i7KYK: All versions

Intel NUC Kit NUC6i5SYH: All versions

Intel NUC Kit NUC7CJYH: All versions

Intel Compute Card CD1M3128MK: All versions

Intel Compute Card CD1IV128MK: All versions

Intel NUC Kit NUC6CAYS: All versions

Intel NUC Board DE3815TYBE: All versions

Intel NUC Board D34010WYB: All versions

External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00323.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.