Intel® NUC® Firmware Advisory

Summary:

Potential security vulnerabilities in Intel® NUC® firmware may allow escalation of privilege.** **Intel is releasing firmware updates to mitigate these potential vulnerabilities.

Vulnerability Details:

CVEID: CVE-2019-14608

Description: Improper buffer restrictions in firmware for Intel® NUC® may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.8 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-14610

Description: Improper access control in firmware for Intel® NUC® may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.8 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-14609

Description: Improper input validation in firmware for Intel® NUC® may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-14611

Description: Integer overflow in firmware for Intel® NUC® may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2019-14612

Description: Out of bounds write in firmware for Intel® NUC® may allow a privileged user to potentially enable escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Products:

Affected Product

|

Updated Firmware

—|—

Intel® NUC 8 Mainstream Game Kit

|

NUC8i5INH__

Intel® NUC 8 Mainstream Game Mini Computer

|

NUC8i5INH__

Intel® NUC Kit NUC8i7BEK

|

NUC8i7BEK

Intel® Compute Card CD1P64GK

|

CD1P64GK__

Intel® NUC 8 Home - NUC8i3CYSM

|

NUC8i3CYSM__

Intel® NUC Kit NUC8i7HNK

|

NUC8i7HNK__

Intel® NUC-Kit NUC7i7DNKE

|

NUC7i7DNKE__

Intel® NUC-Kit NUC7i5DNKE

|

NUC7i5DNKE__

Intel® NUC-Kit NUC7i3DNHE

|

NUC7i3DNHE__

Intel® Compute Stick STK2mv64CC

|

STK2mv64CC__

Intel® Compute Stick STK2m3W64CC

|

STK2m3W64CC__

Intel® NUC Kit NUC6i7KYK

|

NUC6i7KYK__

Intel® NUC Kit NUC6i5SYH

|

NUC6i5SYH__

Intel® NUC Kit NUC7CJYH

|

NUC7CJYH__

Intel® Compute Card CD1M3128MK

|

CD1M3128MK__

Intel® Compute Card CD1IV128MK

|

CD1IV128MK__

Intel® NUC Kit NUC6CAYS

|

NUC6CAYS__

Intel® NUC Board DE3815TYBE

|

DE3815TYBE__

Intel® NUC Board D34010WYB

|

D34010WYB__

Recommendations:

Intel recommends that users update to the latest version (see provided table).

Acknowledgements:

Intel would like to thank Alexander Ermolov (CVE-2019-14608; CVE-2019-14609; CVE-2019-14610; CVE-2019-14612) and Dmitry Frolov (CVE-2019-14608; CVE-2019-14609; CVE-2019-14611) for reporting these issues and working with us on coordinated disclosure.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.