Intel and AMD have published November 2024 Patch Tuesday security advisories to inform customers about vulnerabilities found recently in their products.
Intel has released 44 new advisories for over 80 vulnerabilities, including more than 20 high-severity issues.
The high-severity vulnerabilities impact products such as Server Board S2600ST and S2600BP, graphics drivers, Neural Compressor, Computing Improvement Program, Xeon and other processors, Alias Checking Trusted Module, Endpoint Management Assistant, Driver Support Assistant, and Extension for Transformers.
The exploitation of these security holes can lead to escalation of privileges, typically through local access.
Medium-severity vulnerabilities that can lead to privilege escalation or denial of service (DoS) have been found in SGX SDK, Quartus Prime, VTune Profiler, Server Debug and Provisioning Tool for Windows, QuickAssist Technology, Assistive Context-Aware Toolkit (ACAT), Graphics Driver installers, Fortran Compiler Classic, PROSet/Wireless WiFi, Killer Wi-Fi, Wireless Bluetooth, and Distribution for Python.
Medium-severity privilege escalation, information disclosure, and DoS issues have been addressed in Arc Pro Graphics, Memory and Storage Tool, Distribution of OpenVINO Model Server, oneAPI Math Kernel Library, Virtual RAID on CPU, JAM STAPL Player, High Level Synthesis Compiler, BigDL, Granulate, Rendering Toolkit, Integrated Performance Primitives, Binary Configuration Tool, Video Processing Library, Xeon processors, TDX Seamldr, Context Sensing Technology, oneAPI DPC++/C++ Compiler, Thunderbolt Share, Quartus Prime Pro Edition, and Advanced Link Analyzer.
Intel has released software and firmware patches for a majority of the vulnerabilities, but some of them will not be patched as they impact discontinued products. In some cases the company has released guidance to address potential vulnerabilities.
AMD published eight new advisories on Tuesday. Four of them cover incorrect default permissions vulnerabilities discovered by a researcher who uses the online moniker ‘Pwni’ in HIP SD, Cloud Manageability Service (ACMS), Ryzen Master Monitoring SDK and Ryzen Master Utility, and Provisioning Console.
Each product “inherits its permissions from the parent folder during the installation process” and “the Access Control List (ACL) permissions for the installation folder and its subfolders/files were found to not be appropriately configured, which could allow lower privileged users to escalate privileges, resulting in arbitrary code execution,” AMD wrote in each of its advisories for these flaws.
Similar vulnerabilities with a similar impact were found by AMD internally in the Management Plugin for the Microsoft System Center Configuration Manager (SCCM) and in Management Console Software.
All of these incorrect default permissions vulnerabilities have been assigned ‘high severity’ ratings.
AMD also released an advisory for a cache-based side-channel attack against Secure Encrypted Virtualization (SEV) discovered by researchers at National Taiwan University. The vendor believes previous mitigation guidance for Spectre-type attacks is applicable to this attack as well.
In Ryzen AI software, Lenovo security researchers discovered four high- and medium-severity issues that can be exploited for arbitrary code execution or to cause a system crash.
Earlier this month, AMD published an advisory to inform customers that Google security researchers have reported finding a new method for exploiting a previously disclosed vulnerability named Inception and tracked as CVE-2023-20569. The chip giant noted that existing guidance should protect users against the new version of the exploit.
Related: Intel Warns of 20+ Vulnerabilities, Advises Firmware Updates
Related: Chipmaker Patch Tuesday: Intel, AMD Address Over 110 Vulnerabilities
Related: Chipmaker Patch Tuesday: Intel, AMD Address New Microarchitectural Vulnerabilities
