Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chipmaker Patch Tuesday: Intel, AMD Address Over 110 Vulnerabilities

Intel and AMD have each informed customers about dozens of vulnerabilities found and patched in their products. 

CPU patches

Intel and AMD have each informed customers about dozens of vulnerabilities found and patched in their products. 

Intel has published 43 new advisories that cover a total of roughly 70 security holes. Nine advisories describe high-severity vulnerabilities.

The high-severity flaws impact products such as Intel Core Ultra and other processors, SMI Transfer monitor (STM), Agilex FPGA firmware, the TDX system, NUC BIOS firmware, Ethernet Controllers and Adapters, UEFI Integrator Tools on Aptio V for Intel NUC, and Server Board S2600ST firmware. 

Exploitation of these vulnerabilities can lead to privilege escalation, information disclosure, and denial-of-service (DoS) attacks.

Medium-severity vulnerabilities have been patched by Intel in hardware, software and technologies such as IPP, EMON, VTune Profiler, License Manager for FLEXlm, Quartus Prime Pro Edition, MAS, BMRA, CSME, PROSet, AMT, TDX, Xeon and Xeon Scalable, oneAPI Compiler, oneAPI Math Kernel Library, VROC, Distribution for GDB, OpenBMC, ISH, and HID Event Filter.

Vulnerabilities have also been resolved in Intel’s Data Center GPU Max Series, Unite, Connectivity Performance Suite, FPGA SDK for OpenCL, GPA, Ethernet Adapter Driver Pack,  Flexlm License Daemons for FPGA, Advisor, CIP, High Level Synthesis Compiler, IPP Cryptography, MPI Library, Arc & Iris Xe, Simics Package Manager, and Trace Analyzer and Collector.

Exploitation can in a majority of cases lead to escalation of privileges, and a few security bugs can be leveraged for DoS attacks.

Many of the vulnerabilities were discovered internally by Intel employees. 

Advertisement. Scroll to continue reading.

AMD published eight new advisories on Patch Tuesday to inform customers about 46 vulnerabilities. 

One advisory addresses research conducted by Iowa State University and Google on ‘SMaCK’, a new attack method that can be used, similar to Spectre, to obtain potentially sensitive information. However, AMD said it has not identified any novel vulnerabilities and instead the research describes new methods for exploiting existing flaws. 

Another advisory addresses research published in January, which focuses on exploiting uninitialized register accesses in modern GPUs. 

“AMD plans to create a new operating mode designed to prevent processes from running in parallel on the GPU, and to clear registers between processes on supported products. This mode would be designed to be set by an administrator and not enabled by default,” AMD said.

The chipmaker has informed customers about high-severity vulnerabilities that can lead to privilege escalation and arbitrary code execution in the μProf software profiling analysis tool, and AMD Secure Processor (ASP), Secure Encrypted Virtualization (SEV), and Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP) technologies.

Medium- and low-severity issues have been identified in graphics products and Zynq UltraScale+ MPSoCs. 

Related: Chipmaker Patch Tuesday: Intel, AMD Address New Microarchitectural Vulnerabilities

Related: Chipmaker Patch Tuesday: Intel, AMD Address Over 130 Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights