Intel has found some vulnerabilities regarding the firmware of their CPUs and has publically shared the details. According to Intel, CVSS severities of the 16 vulnerabilities vary between 8.2 and 2.4. Thankfully none of those vulnerabilities can be exploited remotely; the attacker needs physical contact with the target machine.
From 6th gen to 11th gen
The flaws affect the consumer level Intel processors between the 6th and 11th generation, which are named as Core family. They also affect some of the Xeon processors as well as the Atom C3 series. You can see the full list of the affected CPUs below:
- 2nd Generation Intel Xeon Scalable Processor Family
- Intel Xeon Scalable Processor Family
- Intel Xeon Processor W Family
- Intel Xeon Processor E Family
- Intel Xeon Processor D Family
- 11th Generation Intel Core Processor Family
- 10th Generation Intel Core Processor Family
- 9th Generation Intel Core Processor Family
- 8th Generation Intel Core Processor Family
- 7th Generation Intel Core Processor Family
- 6th Generation Intel Core processor Family
- Intel Core X-series Processor Family
- Intel Atom Processor C3XXX Family.
The vulnerabilities allow attackers to escalate privileges and denial of service as well as information disclosure. The worst side of those vulnerabilities is being on the BIOS level, which makes them bypass all security measures. Most of the security software runs on the operating system, and the BIOS starts before the OS. So they are simply unable to detect any attacks utilizing BIOS level flaws. This is the second BIOS/UEFI security incident in a week.
Those flaws will be fixed via BIOS updates. But it is hard to determine if they are already available or when they will arrive. Intel most likely has already provided fixes to the related motherboard/laptop/server manufacturers to patch their BIOS and push it. But that kind of chain-patches might take some time to reach the target devices.