Vulnerability Could Allow Enhanced Privileges to Unauthorized Users

SAM Vulnerability
Share It On:

25th November 2021, Kathmandu

Researchers at Positive Technologies recently found a vulnerability in Intel processors. The CVE-2021-0146 vulnerability empowers testing or investigating modes on various Intel processor lines. This could permit an unauthorized user with actual access to obtain enhanced privileges on the system.

The vulnerability affects the Pentium, Celeron, and Atom processors of the Apollo Lake, Gemini Lake, and Gemini Lake Refresh stages, utilized in cell phones, embedded systems, and IoT systems, like smart home appliances, vehicles, and clinical instruments.

The threat affects a wide range of ultra-portable netbooks and a huge base of Intel-based Internet of Things (IoT) systems, from home machines and smart home systems to vehicles and clinical instruments.

What are the vulnerability details?

The Intel site published the given vulnerability details:

CVEID: CVE-2021-0146

Description: Hardware permits activation of the test or debugs logic at runtime for some Intel(R) processors which might permit an unauthenticated user to possibly enable escalation of privilege through physical access.

CVSS Base Score: 7.1 High

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Positive Technologies specialists said, in exploiting this vulnerability cybercriminals can:

  • Extract the encryption key and get access to data on a laptop
  • Direct designated attacks across the supply chain

One illustration of a real threat is lost or stolen laptops that contain secret data in encoded form. Utilizing this vulnerability, an attacker can extract the encryption key and get close enough to the data in the laptop.

The bug can likewise be exploited in designated attacks across the supply chain.

For instance, a worker of an Intel processor-based device provider could extract the Intel CSME firmware key and send spyware that security software would not detect.

As recognized by Intel, the bug, which got a score of 7.1 on the CVSS 3.1 scale, was distinguished by Mark Ermolov, Dmitry Sklyarov (both from Positive Technologies), and Maxim Goryachy (an independent researcher).

Why and how did this occur?

CISO MAG connected with Mark Ermolov, Lead researcher of OS and Hardware Security at Positive Technologies, for his interpretation of the incident.

“Sellers accept that the actual access needed to work them puts such attacks out of extension in their security models.

Notwithstanding, actually current stages contain, notwithstanding the private information of clients, the privileged information of the actual maker (the supposed Assets) — while extricating these resources, the whole infrastructure can be put at risk, including the individual information of clients,” said Ermolov.

How should makers and clients respond?

In an authority official statement Positive Technology said: “To keep away from issues later on and forestall the conceivable bypassing of inherent insurance, makers ought to be more cautious in their way to deal with security infrastructure for investigate components.”

To fix the found vulnerability, clients ought to introduce the UEFI BIOS refreshes distributed by the end producers of the separate electronic devices.

“This is a firmware update, however lamentably Intel doesn’t clarify which subsystem the fix influences. This could be a processor microcode update, power the executive’s regulator firmware, Intel CSME firmware, or UEFI firmware.

We don’t know right now how precisely the mistake is fixed, however, we are persuaded that the blunder can’t be fixed at a central level, since it is installed in the devices. All things considered, Intel has made a fix that just keeps our Proof of Concept from working (which we shipped off them with bit by bit clarifications),” said Ermolov.

How has Intel reacted?

Intel is delivering firmware updates to moderate this possible vulnerability. On its page, Intel suggests that clients of impacted Intel processors update to the most recent adaptation given by the infrastructure maker that resolves these issues.

In the interim, PC producers utilizing these Intel processors have begun distributing firmware updates, and you should check the Drivers and Downloads segments on their sites.


Share It On:

Recent Posts

‘Ncell Woman ICON ICT Award 2024’ presented to Bandana Sharma

‘Ncell Woman ICON ICT Award 2024’ presented to Bandana Sharma

Share It On:26th December 2024, Kathmandu This year’s ‘Ncell Woman ICON ICT Award’ has been conferred on Bandana Sharma, recognizing

456 MW Nepal’s Upper Tamakoshi Resumes Power Generation After Landslide Damage

456 MW Nepal’s Upper Tamakoshi Resumes Power Generation After Landslide

Share It On:25th December 2024, Kathmandu The Upper Tamakoshi Hydroelectric Plant, Nepal’s largest with a 456-megawatt capacity, has resumed partial

Bajaj Platina Mileage Champion 2024: Dhangadhi Event Winners, Performance Highlights, and Fuel Efficiency Showcase

Bajaj Platina Mileage Champion 2024: Dhangadhi Event Winners, Performance Highlights,

Share It On: 25th December 2024, Kathmandu The ‘Bajaj Mileage Champion’ event took place in Dhangadhi, Kailali, where local riders

inDrive Partners with ICT Award 2024, Supports Innovation in Nepal’s Startup Ecosystem

inDrive Partners with ICT Award 2024, Supports Innovation in Nepal’s

Share It On:25th December 2024, kathmandu inDrive a global mobility and urban services platform, is proud to announce the winner of

Citizens Bank Easy Dental Partnership: Exclusive Discounts for Customers

Citizens Bank Easy Dental Partnership: Exclusive Discounts for Customers

Share It On: 25th December 2024, Kathmandu Citizens Bank International Ltd. has entered into a partnership with Easy Dental Pvt.

Bajaj Motorcycle Finance Fair 2024 in Nepal: Low Interest Rates & Easy Loan Approval

Bajaj Motorcycle Finance Fair 2024 in Nepal: Low Interest Rates

Share It On:25th December 2024, Kathmandu Hansraj Hulaschand & Company Pvt. Ltd., the official dealer of Bajaj Motorcycles in Nepal,