Intel issued a critical firmware update that impacts several of its product families and Cisco Talos dug into a pair of vulnerabilities impacting Power Software Power ISO disk managing software.
In both cases, if left uncorrected, the flaws can lead to a severe issue. With Intel the problem can lead to an escalation of privilege with Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability and the PowerISO issue if exploited can let an attacker execute arbitrary code remotely.
Intel's vulnerability, INTEL-SA-00075, for firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for the previously mentioned products that use first through seventh generation Intel Core processors. Intel has released a downloadable discovery tool that can check a system to see if it is vulnerable. The company has also issued a firmware update to correct the issue and is working with computer manufacturers to integrate the update into their software, changes that should be implemented by May 8, the company reported.
Intel noted in a deeper dive looking at the problem that there are two ways to vulnerability can be accessed by a malicious actor.
· An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Management Technology and Intel Standard Manageability.
CVSSv3 9.8 Critical /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
· An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel® Small Business Technology (SBT). CVSSv3 8.4 High /AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Cisco's analysis of the PowerISO flaws, CVE-2017-2817 and CVE-2017-2823, found that when a specially crafted ISO image is opened and parsed by the PowerISO software it could lead to remote code execution. The PowerISO utility, which is part of Windows that enables users to create, edit, mount and convert various disk image file formats and is commonly used by consumers.
The first CVE refers to a stack buffer overflow vulnerability exists in the ISO image parsing functionality in the software, while the second is a use-after-free vulnerability exists in the .ISO parsing functionality of PowerISO 6.8.
Cisco noted the problems arise because the ISO 9600 file format being used is quite old and thus several restriction in place, particularly filename lengths, which have been updated via extensions.
“A vulnerability in PowerISO software exists when parsing the alternative name (NM) System Use Entry. The structure of the alternative name contains a single byte length field which can be manipulated by the attacker to cause a stack buffer overflow that may allow remote code execution of code in the context of the PowerISO user.
Cisco said the following Snort Rules, 42263-42272 (TALOS-2017-0318)
42321,42322 (TALOS-2017-0324), will detect exploitation attempts.