A potential security vulnerability in system firmware for Intel® NUC may allow escalation of privilege.** **Intel is releasing firmware updates to mitigate this potential vulnerability.
CVEID: CVE-2017-3718
Description: Improper setting of device configuration in system firmware for Intel® NUC kits may allow a privileged user to potentially enable escalation of privilege via physical access.
CVSS Base Score: 6.9 Medium
CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
· Intel® NUC Kit NUC7CJYH
· Intel® NUC Kit NUC8i7HNK
· Intel® Compute Card CD1M3128MK
· Intel® Compute Card CD1IV128MK
· Intel® Compute Card CD1P64GK
· Intel® NUC Kit NUC7i7DNKE
· Intel® NUC Kit NUC7i5DNKE
· Intel® NUC Kit NUC7i3DNHE
· Intel® NUC Kit NUC7i7BNH
· Intel® NUC Kit NUC6CAYS
· Intel® NUC Kit DE3815TYBE
· Intel® NUC Kit NUC6i5SYH
· Intel® NUC Kit NUC6i7KYK
· Intel® NUC Kit NUC5PGYH
· Intel® NUC Kit NUC5CPYH
· Intel® NUC Kit NUC5i7RYH
· Intel® NUC Kit NUC5i5MYHE
· Intel® NUC Kit NUC5i3MYHE
· Intel® NUC Kit DE3815TYBE
· Intel® NUC Kit DN2820FYKH
· Intel® NUC Kit D54250WYB
· Intel® NUC Kit D53427RKE
· Intel® NUC Kit D33217GKE
· Intel® Compute Stick STK2mv64CC
· Intel® Compute Stick STK2m3W64CC
· Intel® Compute Stick STK1AW32SC
· Intel® Compute Stick STCK1A32WFC
Intel recommends that users update to the latest version (see provided table).
Product
|
Download link
(BIOS dl link)
—|—
Intel® NUC Kit NUC7CJYH
|
NUC7CJYH****
Intel® NUC Kit NUC8i7HNK
|
NUC8i7HNK****
Intel® Compute Card CD1M3128MK
|
CD1M3128MK****
Intel® Compute Card CD1IV128MK
|
CD1IV128MK****
Intel® Compute Card CD1P64GK
|
CD1P64GK****
Intel® NUC Kit NUC7i7DNKE
|
NUC7i7DNKE****
Intel® NUC Kit NUC7i5DNKE
|
NUC7i5DNKE****
Intel® NUC Kit NUC7i3DNHE
|
NUC7i3DNHE****
Intel® NUC Kit NUC7i7BNH
|
NUC7i7BNH****
Intel® NUC Kit NUC6CAYS
|
NUC6CAYS****
Intel® NUC Kit DE3815TYBE
|
DE3815TYBE****
Intel® NUC Kit NUC6i5SYH
|
NUC6i5SYH****
Intel® NUC Kit NUC6i7KYK
|
NUC6i7KYK****
Intel® NUC Kit NUC5PGYH
|
NUC5PGYH****
Intel® NUC Kit NUC5CPYH
|
NUC5CPYH_ _****
Intel® NUC Kit NUC5i7RYH
|
NUC5i7RYH****
Intel® NUC Kit NUC5i5MYHE
|
NUC5i5MYHE****
Intel® NUC Kit NUC5i3MYHE
|
NUC5i3MYHE****
Intel® NUC Kit DE3815TYBE
|
DE3815TYBE****
Intel® NUC Kit DN2820FYKH
|
DN2820FYKH****
Intel® NUC Kit D54250WYB
|
D54250WYB****
Intel® NUC Kit D53427RKE
|
D53427RKE ****
Intel® NUC Kit D33217GKE
|
D33217GKE****
Intel® Compute Stick STK2mv64CC
|
STK2mv64CC****
Intel® Compute Stick STK2m3W64CC
|
STK2m3W64CC****
Intel® Compute Stick STK1AW32SC
|
STK1AW32SC****
Intel® Compute Stick STCK1A32WFC
|
STCK1A32WFC****
Intel would like to thank Dmytro Oleksiuk for reporting this issue and working with us on coordinated disclosure.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are deployed.