Intel has announced the identification of two high severity vulnerabilities affecting a wide range of branded processors. The vulnerabilities identified allow attackers to use malware to gain higher privileges on a user device.
The problem was identified by the California-based startup SentinelOne. The vulnerabilities are named CVE-2021-0157 and CVE-2021-0158 and are qualified as high severity vulnerabilities (CVSS v3 8.2).
First issue CVE-2021-0157 is caused by flaws in BIOS control threads for some Intel processors. Vulnerability CVE-2021-0158 is based on incorrect input validation in BIOS. In order to exploit vulnerabilities, hackers must have physical access to devices. However, BIOS passwords cannot provide effective protection.
Intel said in a statement that the following processor groups are affected:
• Intel Xeon E processor family;
• Intel Xeon E3 v6 processor family:
• Intel Xeon W processor family;
• 3rd Generation Intel Xeon Processors;
• Intel Core 11 Processors 4th generation;
• 10th generation Intel Core processors;
• 7th Gen Intel Core Processors;
• Intel Core X-series processors;
• Intel Celeron N-series processor;
• Line of Intel Pentium Silver processors.
Intel does not disclose the technical details of the issues and recommends that customers update BIOS regularly to fix the vulnerability. Meanwhile, motherboard manufacturers don’t release BIOS updates very often.
Given the fact that, for example, the 7th Gen Intel Core was released five years ago, that manufacturers are still releasing BIOS security updates for them. As a result, some users will not be able to fix these vulnerabilities.
Intel has also issued an advisory regarding the third vulnerability, CVE-2021-0146, which is rated high severity (CVSS 7.2). This problem was identified by Positive Technologies and affects hardware solutions for cars, and can also provide cybercriminals with the ability to gain access to confidential information. The vulnerability affects cars in which Intel Atom E3900 processors are installed, including Tesla Model 3. Intel announced that the new update has already fixed the vulnerability CVE-2021-0146.