According to penetration testing course from the International Institute of Cyber Security (IICS), Intel has launched update patches to correct two critical vulnerabilities in its Intel Media Software Development Kit (SDK), in addition of the Mini PC, Intel NUC.
The updates, launched last Tuesday, focus on four vulnerabilities present in the aforementioned products. According to the penetration testing course specialists, the most critical flaw is in the Intel Media SDK, and could allow a malicious hacker with authentication to get a privilege escalation.
Media SDK is a software development package that allows developers to work with media-acceleration features on Intel platforms, including photo and video processing. The vulnerability present in the Media SDK (tracked as CVE-2018-18094) received a 7.8/10 score on the Common Vulnerability Scoring System (CVSS) scale, making it a critical vulnerability.
The vulnerability exists because of incorrect directory permissions in the Media SDK installer, because it grants the authenticated user the ability to enable a privilege escalation by using local access. Intel recommends users to update the Cersión 2018 R 2.1 or later as soon as possible. The updates are available on the official platform of the company, mention the penetration testing course specialists.
Another critical vulnerability is present in Intel Next Unit of Computing (Intel NUC), a mini-PC kit with processing, storage and memory capabilities for applications such as digital signage, media centers, etc.
This vulnerability (CVE-2019-0163) has received a score of 7.5/10 in CVSS, so it qualifies as high severity. This error exists due to insufficient input validation of the NUC system firmware, which would enable you to perform various malicious actions such as privilege escalation, denial of service, and compromised system information leaking.
In addition to launching the fixes for these vulnerabilities, Intel also corrected an error that would allow for a scaling of privileges in the Linux Graphic Performance Analyzer, as well as an information leaking error on some microprocessor models.