Potential security vulnerabilities in system firmware for Intel® NUC may allow escalation of privilege, denial of service and/or information disclosure.** **Intel is releasing firmware updates to mitigate these potential vulnerabilities.
CVEID: CVE-2019-11123
Description: Insufficient session validation in system firmware for Intel® NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2019-11124
Description: Out of bound read/write in system firmware for Intel® NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2019-11125
Description: Insufficient input validation in system firmware for Intel® NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2019-11126
Description: Pointer corruption in system firmware for Intel® NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2019-11127
Description: Buffer overflow in system firmware for Intel® NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2019-11128
Description: Insufficient input validation in system firmware for Intel® NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2019-11129
Description: Out of bound read/write in system firmware for Intel® NUC Kit may allow a privileged user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected Product
|
Updated Firmware
—|—
Intel® NUC Kit NUC8i3BEx
Intel® NUC Kit NUC8i5BEx
Intel® NUC Kit NUC8i7BEx
|
Intel® Compute Card CD1P64GK Intel® Compute Card CD1C64GK
|
Intel® NUC Kit NUC8i3CYx
|
Intel® NUC Kit NUC8i7HNK
Intel® NUC Kit NUC8i7HVK
|
Intel® NUC Kit NUC7i7DNx
|
Intel® NUC Kit NUC7i5DNx
|
Intel® NUC Kit NUC7i3DNx
|
Intel® Compute Stick STK2MV64CC
|
Intel® Compute Stick STK2M3W64CC
Intel® Compute Stick STK2M364CC
|
Intel® NUC Kit NUC6i7KYk
|
Intel® NUC Kit NUC7PJY
Intel® NUC Kit NUC7CJY
|
Intel® NUC KitNUC6CAYx
|
Intel® NUC Kit DE3815TYB
(BIOS ID CODE TYBYT20H.86A BIOS ID code)
|
Intel® NUC Kit DE3815TYB
(BIOS ID CODE TYBYT10H.86A BIOS ID code)
|
Intel® NUC Kit NUC5CPYH
Intel® NUC Kit NUC5PPYH
Intel® NUC Kit NUC5PGYH
|
Intel® NUC Kit NUC5i7RYx
Intel® NUC Kit NUC5i3RYx
Intel® NUC Kit NUC5i5RYx
|
Intel® NUC Kit NUC5i5MYx
|
Intel® NUC Kit NUC5i3MYx
|
Intel® NUC Kit DN2820FYKH
|
Intel® Compute Stick STCK1A32WFC
Intel® Compute Stick STCK1A8LFC
|
Intel® Compute Card CD1M3128MK
|
Intel® Compute Card CD1IV128MK
|
Intel® NUC Kit NUC7i3BNx
Intel® NUC Kit NUC7i5BNx
Intel® NUC Kit NUC7i7BNx
|
Intel® NUC Kit NUC6i3SYx
Intel® NUC Kit NUC6i5SYx
|
Intel® NUC Kit D54250WYx
Intel® NUC Kit D34010WYx
|
Intel recommends that users update to the latest firmware version (see provided table).
Intel would like to thank Alexander Ermolov (CVE-2019-11123, CVE-2019-11124, CVE-2019-11125, CVE-2019-11129), Ruslan Zakirov (CVE-2019-11126, CVE-2019-11127), Malyutin Maksim (CVE-2019-11128) for reporting these issues.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.