According to penetration testing course from the International Institute of Cyber Security (IICS), Intel has launched update patches to correct two critical vulnerabilities in its Intel Media Software Development Kit (SDK), in addition of the Mini PC, Intel NUC.
The updates, launched last Tuesday, focus on
four vulnerabilities present in the aforementioned products. According to the
penetration testing course specialists, the most critical flaw is in the Intel
Media SDK, and could allow a malicious hacker with authentication to get a
privilege escalation.
Media SDK is a software development package
that allows developers to work with media-acceleration features on Intel
platforms, including photo and video processing. The vulnerability present in
the Media SDK (tracked as CVE-2018-18094) received a 7.8/10 score on the Common
Vulnerability Scoring System (CVSS) scale, making it a critical vulnerability.
The vulnerability exists because of incorrect
directory permissions in the Media SDK installer, because it grants the
authenticated user the ability to enable a privilege escalation by using local
access. Intel recommends users to update the Cersión 2018 R 2.1 or later as
soon as possible. The updates are available on the official platform of the company,
mention the penetration testing course specialists.
Another critical vulnerability is present in
Intel Next Unit of Computing (Intel NUC), a mini-PC kit with processing,
storage and memory capabilities for applications such as digital signage, media
centers, etc.
This vulnerability (CVE-2019-0163) has received
a score of 7.5/10 in CVSS, so it qualifies as high severity. This error exists
due to insufficient input validation of the NUC system firmware, which would
enable you to perform various malicious actions such as privilege escalation, denial
of service, and compromised system information leaking.
In addition to launching the fixes for these
vulnerabilities, Intel also corrected an error that would allow for a scaling
of privileges in the Linux Graphic Performance Analyzer, as well as an
information leaking error on some microprocessor models.
