Many years after the Spectre and Meltdown vulnerabilities on its CPUs, Intel is once again facing some vulnerability issues on a variety of its products. Furthermore, some of the disclosed vulnerabilities are based on Spectre and Meltdown vulnerability families. It is quite interesting seeing them around after 4 years.
Self-fix for speculative execution bugs
One of the vulnerabilities on Intel products, which can be tracked as CVE-2021-33149, allows information disclosure and has a severity score of 2.5. This vulnerability is related to Spectre and Meltdown families. Since it requires an authorized user to access the hardware locally, its severity score is low. To fix this issue, Intel recommends adding an LFENCE instruction after loads that should observe writes from another thread to the same shared memory address.
CVE-2021-0154, CVE-2021-0153, CVE-2021-33123, and CVE-2021-0190 all have a severity score of 8.2. The first two vulnerabilities allow escalation of privileges for the users who already have privileges. The latter two causes improper access control and uncaught exceptions in the BIOS firmware, respectively.
CVE-2021-33122 causes insufficient control flow management, CVE-2021-0189 out-of-range pointer offset, CVE-2021-33124 unintended intermediary, and CVE-2021-0159 improper input validation in BIOS firmware. Those vulnerabilities have CVSS scores between 7.4 and 7.9.
Optane SSDs are affected as well
Aside from CPUs and BIOS firmware, Intel’s SSD products are also affected by some vulnerabilities. CVE-2021-33078 affects Intel’s SSD products (Optane SSD and Optane SSD Data Center) with a severity score of 7.9, allowing privileged users denial-of-service due to a race-condition bug. CVE-2021-33077 allows escalation of privileges for the unprivileged users who have physical access, and CVE-2021-33080 allows disclosure of sensitive information alongside the escalation of privileges. Those two have both have a severity score of 7.3.
There are also bugs affecting NUC devices as well, which have 7.5 severity scores. The systems with Intel hardware and software (Extreme Tuning Utility and Advisor) should be patched immediately when the fixes arrive. So, it is better to keep an eye on the updates.