Intel® NUC Firmware Security Advisory

Summary:

A potential security vulnerability in system firmware for Intel® NUC may allow escalation of privilege.** **Intel is releasing firmware updates to mitigate this potential vulnerability.

Vulnerability Details:

CVEID: CVE-2017-3718

Description: Improper setting of device configuration in system firmware for Intel® NUC kits may allow a privileged user to potentially enable escalation of privilege via physical access.

CVSS Base Score: 6.9 Medium

CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Products:

· Intel® NUC Kit NUC7CJYH

· Intel® NUC Kit NUC8i7HNK

· Intel® Compute Card CD1M3128MK

· Intel® Compute Card CD1IV128MK

· Intel® Compute Card CD1P64GK

· Intel® NUC Kit NUC7i7DNKE

· Intel® NUC Kit NUC7i5DNKE

· Intel® NUC Kit NUC7i3DNHE

· Intel® NUC Kit NUC7i7BNH

· Intel® NUC Kit NUC6CAYS

· Intel® NUC Kit DE3815TYBE

· Intel® NUC Kit NUC6i5SYH

· Intel® NUC Kit NUC6i7KYK

· Intel® NUC Kit NUC5PGYH

· Intel® NUC Kit NUC5CPYH

· Intel® NUC Kit NUC5i7RYH

· Intel® NUC Kit NUC5i5MYHE

· Intel® NUC Kit NUC5i3MYHE

· Intel® NUC Kit DE3815TYBE

· Intel® NUC Kit DN2820FYKH

· Intel® NUC Kit D54250WYB

· Intel® NUC Kit D53427RKE

· Intel® NUC Kit D33217GKE

· Intel® Compute Stick STK2mv64CC

· Intel® Compute Stick STK2m3W64CC

· Intel® Compute Stick STK1AW32SC

· Intel® Compute Stick STCK1A32WFC

Recommendations:

Intel recommends that users update to the latest version (see provided table).

Product

|

Download link
(BIOS dl link)

—|—

Intel® NUC Kit NUC7CJYH

|

NUC7CJYH****

Intel® NUC Kit NUC8i7HNK

|

NUC8i7HNK****

Intel® Compute Card CD1M3128MK

|

CD1M3128MK****

Intel® Compute Card CD1IV128MK

|

CD1IV128MK****

Intel® Compute Card CD1P64GK

|

CD1P64GK****

Intel® NUC Kit NUC7i7DNKE

|

NUC7i7DNKE****

Intel® NUC Kit NUC7i5DNKE

|

NUC7i5DNKE****

Intel® NUC Kit NUC7i3DNHE

|

NUC7i3DNHE****

Intel® NUC Kit NUC7i7BNH

|

NUC7i7BNH****

Intel® NUC Kit NUC6CAYS

|

NUC6CAYS****

Intel® NUC Kit DE3815TYBE

|

DE3815TYBE****

Intel® NUC Kit NUC6i5SYH

|

NUC6i5SYH****

Intel® NUC Kit NUC6i7KYK

|

NUC6i7KYK****

Intel® NUC Kit NUC5PGYH

|

NUC5PGYH****

Intel® NUC Kit NUC5CPYH

|

NUC5CPYH_ _****

Intel® NUC Kit NUC5i7RYH

|

NUC5i7RYH****

Intel® NUC Kit NUC5i5MYHE

|

NUC5i5MYHE****

Intel® NUC Kit NUC5i3MYHE

|

NUC5i3MYHE****

Intel® NUC Kit DE3815TYBE

|

DE3815TYBE****

Intel® NUC Kit DN2820FYKH

|

DN2820FYKH****

Intel® NUC Kit D54250WYB

|

D54250WYB****

Intel® NUC Kit D53427RKE

|

D53427RKE ****

Intel® NUC Kit D33217GKE

|

D33217GKE****

Intel® Compute Stick STK2mv64CC

|

STK2mv64CC****

Intel® Compute Stick STK2m3W64CC

|

STK2m3W64CC****

Intel® Compute Stick STK1AW32SC

|

STK1AW32SC****

Intel® Compute Stick STCK1A32WFC

|

STCK1A32WFC****

Acknowledgements:

Intel would like to thank Dmytro Oleksiuk for reporting this issue and working with us on coordinated disclosure.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are deployed.