Intel has warned that there are multiple serious vulnerabilities in Security Engine products, and urge users to use the existing fix as soon as possible. It is understood that the Intel Converged Security and Management Engine (CSME) is a chipset subsystem that provides support for Intel ’s active management technology.
According to a security bulletin released on Tuesday, the CSME engine was affected by a firmware vulnerability that was discovered internally by the Intel security team. If it was used by a hacker, intruders could launch privilege escalation, denial of service, and information leakage attacks.
The first vulnerability is CVE-2019-14598, which had a basic CVSS score of 8.2, and they considered the issue to be a very serious one. In response, Intel has released a firmware update to mitigate this vulnerability. This flaw affects CSME versions prior to 12.0.49, 13.0.21, and 14.0.11. At the same time, Intel recommends updating the CSME version provided by the system manufacturer to 12.0.49, 13.0.21, and 14.0.11 or higher to address these issues.
Another system vulnerability patch update is a security issue in Intel RAID Web Console 2 (RWC2) and RAID Web Console 3 (RWC3) for Windows. This vulnerability is tracked as CVE-2020-0562, which will affect all versions of RWC2, and has a basic CVSS score of 6.7. Locally authenticated users could exploit this vulnerability to elevate their privileges, however, Intel will not patch the issue. Instead, Intel said the product will be discontinued and recommends that users upgrade to RWC3.
The last vulnerability has the same potential consequences and is tracked as CVE-2020-0564. This security vulnerability affects RWC3 prior to 7.010.009.000. The vulnerability is a medium severity issue with a base CVSS score of 6.7 and could be exploited by unauthenticated users to enable privilege escalation through local access.