HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Patches Released to Address Critical Intel Firmware Vulnerabilities

Patches have been released to address several Intel firmware vulnerabilities that affect 6th, 7th and 8th Generation Intel Core processors, and Xeon, Atom, Apollo Lake, and Celeron processors.

While the patches have been released by Intel, it is likely to take days or weeks before they can be applied. Intel processors are used by a wide variety of PC and laptop manufacturers, which are now required to customize the patches to ensure they are compatible with their systems.

The patches were released late on Monday to fix vulnerabilities that could potentially be exploited by attackers to load and run arbitrary code outside the operating system, unbeknown to users.

If exploited, attackers could crash systems, cause system instability, or gain access to privileged system information. Millions of PCs and servers around the world have these vulnerabilities and require the patches to be applied. Most organizations around the world will have at least one device containing one of the Intel firmware vulnerabilities.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The vulnerabilities have been assigned eight CVEs, four affect Intel Manageability Engine Firmware (CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, CVE-2017-5712) two affect Server Platform Service 4.0.x.x (CVE-2017-5706, CVE-2017-5709), and two affect Intel Trusted Execution Engine 3.0.x.x (CVE-2017-5707. CVE-2017-5710). The ME, SPS, and ITE systems are embedded firmware that provide management and code integrity checks on intel powered hardware.

Four of the bugs were identified by security researchers at Positive Technologies, prompting Intel to conduct a full review, which revealed a further four Intel firmware vulnerabilities.

The good news is that in order for the vulnerabilities to be exploited, access to the device would be required. While insiders could run any code on the Management Engine by exploiting the vulnerabilities, it is possible that if other vulnerabilities exist, they could be leveraged by external actors to exploit the vulnerabilities without the need for a local user at a vulnerable device.

The flaws in the Management Engine (ME) are serious because ME is the basis for trust on a system. The ME performs checks on devices to ensure firmware hasn’t been updated or tampered with, so vulnerabilities in the Management Engine could be exploited to change the way the checks are performed.

For example, if a firmware update is attempted, the ME could report that the update has been applied, when it hasn’t. System administrators would believe that devices have been patched, when they remain vulnerable.

Further, since the ME is never switched off, unless power is totally cut to a device, even if the operating system is rebooted, the ME may remain compromised.

Unfortunately, there are no real workarounds other than applying the patches. Manufacturers are now working on customizing Intel’s patches, although since the vulnerabilities affect multiple processors, the process of customizing patches, testing them, and rolling them out could take several weeks.

Lenovo and Dell have already published lists with more than 100 affected systems, with the former expecting to roll out its patched by the end of the month.

Currently it is not believed that any of the vulnerabilities are being actively exploited, although that is almost certain to change over the coming weeks.

A tool has been released to check for the Intel firmware vulnerabilities detailed in security bulletin INTEL-SA-00086, which can be downloaded from the Intel website on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.