Intel has released a 25-strong collection of security advisories, including one for a critical vulnerability in its baseboard management controller (BMC) firmware.
Intel’s Integrated BMC and OpenBMC advisory covers five individual vulnerabilities including CVE-2021-39296, which Intel inherits from OpenBMC.
Crafted intelligent platform management interface (IPMI) messages allow an attacker to bypass authentication and obtain “full control of the system”.
Other BMC bugs include CVE-2022-35729, a denial-of-service via an out-of-bounds read in OpenBMC.
Among bugs rated as high risk, CVE-2022-25987 in Intel’s oneAPI toolkits offers network-based escalation of privilege for an unauthenticated attacker.
The bug is described as an “improper handling of Unicode encoding in source code to be compiled by the Intel C++ Compiler Classic before version 2021.6 for Intel oneAPI Toolkits before version 2022.2”.
Some Atom and Xeon scalable processors may be subject to attack from an adjacent network in CVE-2022-21216, because of “insufficient granularity of access control”.
The company’s System Usage Report software is subject to a number of vulnerabilities that allow escalation of privilege and denial of service.
Another vulnerability has been found in Intel’s now-deprecated Software Guard eXtensions (SGX), as CVE-2022-33196.
Some memory controller configurations have incorrect default permissions allowing privilege escalation, but only via local access to a privileged user.
The full list of vulnerability disclosures is here.