Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3733
Intel NUC M15 Laptop Kit Advisory
10 November 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Intel NUC M15 Laptop Kit driver pack
Publisher: Intel
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-33095 CVE-2021-33094 CVE-2021-33093
CVE-2021-33092 CVE-2021-33091 CVE-2021-33088
CVE-2021-33087
Original Bulletin:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00569.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Intel ID: INTEL-SA-00569
Advisory Category: Software
Impact of vulnerability : Escalation of Privilege, Denial of Service
Severity rating : MEDIUM
Original release: 11/09/2021
Last revised: 11/09/2021
Summary:
Potential security vulnerabilities in the Intel NUC M15 Laptop Kit driver pack
may allow denial of service or escalation of privilege. Intel is releasing
software updates to mitigate these potential vulnerabilities.
Vulnerability Details:
CVEID: CVE-2021-33088
Description: Incorrect default permissions in the installer for the Intel(R)
NUC M15 Laptop Kit Integrated Sensor Hub driver pack before version 5.4.1.4449
may allow an authenticated user to potentially enable escalation of privilege
via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2021-33091
Description: Insecure inherited permissions in the installer for the Intel(R)
NUC M15 Laptop Kit audio driver pack before version 1.3 may allow an
authenticated user to potentially enable escalation of privilege via local
access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2021-33092
Description: Incorrect default permissions in the installer for the Intel(R)
NUC M15 Laptop Kit HID Event Filter driver pack before version 2.2.1.383 may
allow an authenticated user to potentially enable escalation of privilege via
local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2021-33093
Description: Insecure inherited permissions in the installer for the Intel(R)
NUC M15 Laptop Kit Serial IO driver pack before version 30.100.2104.1 may allow
an authenticated user to potentially enable escalation of privilege via local
access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2021-33094
Description: Insecure inherited permissions in the installer for the Intel(R)
NUC M15 Laptop Kit Keyboard LED Service driver pack before version 1.0.0.4 may
allow an authenticated user to potentially enable escalation of privilege via
local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2021-33095
Description: Unquoted search path in the installer for the Intel(R) NUC M15
Laptop Kit Keyboard LED Service driver pack before version 1.0.0.4 may allow an
authenticated user to potentially enable escalation of privilege via local
access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVEID: CVE-2021-33087
Description: Improper authentication in the installer for the Intel(R) NUC M15
Laptop Kit Management Engine driver pack before version 15.0.10.1508 may allow
an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 6.4 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:H
Affected Products:
Intel NUC M15 Laptop Kit - LAPBC510.
Intel NUC M15 Laptop Kit - LAPBC710.
Recommendations:
Intel recommends updating the Intel NUC M15 Laptop Kit driver pack to version
1.1 or later.
Updates are available for download at this location:
https://downloadcenter.intel.com/download/30169/
Driver-Pack-for-the-Intel-NUC-M15-Laptop-Kit?wapkw=Driver-Pack-for-Intel-NUC
Acknowledgements:
Intel would like to thank Sahnoun Oussama (CVE-2021-33087, CVE-2021-33088) and
Wael Guesmi (CVE-2021-33091, CVE-2021-33091, CVE-2021-33092, CVE-2021-33093,
CVE-2021-33094, CVE-2021-33095) for reporting these issues.
Intel, and nearly the entire technology industry, follows a disclosure practice
called Coordinated Disclosure, under which a cybersecurity vulnerability is
generally publicly disclosed only after mitigations are available.
Revision History
Revision Date Description
1.0 11/09/2021 Initial Release
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYYsfYuNLKJtyKPYoAQhLpw//S1+DjXn5/DM4oY+gPwD2oJXcSbUFURUp
ZbYqanf+c1Me+Csai0XExNW8zJh4PK1EQE0NQIuutL4CS8tedvyl38Y9nDg0Ex2x
4LmQd07EaXW2JVo/993JZ+TZvLj+4DC5PtyFIAXVm0BqQdCMf3XPwUmDDcgHHkj6
5+OY1bQGgPPZJ6XA8ryRFojX/SPZphGIGL1fMzQqVrZJw7kjzz8WK56qB8dmyDOj
x21BhKytzPrQvUMMT2/mNTCAloYZCGiGmTnYQJP1miA1Zi3tCR647Y3wzWeLWIA2
ydO8p/W3ZrwNYrr+HUbKb4z8F4xwhkKGF87gmMuoMhueBTuDYE0gHkQvUfiqUvUR
VvcPbpj7rVzio927C4PiKe9TxaVyNtcKv/Q6LEjIahXW0ZLKjmRXZc3YS1WJmw/K
Opy3GBn6ipf/5k7DPicTSjcUZPP7erSfv1FkBN4BhNAXAm+Uhx9tkxdI5tbigdtR
3C9GeKtsDY6qnuo7Pqo0xIRfg/YDR9SXa6PH7mudalKhfYLi5kgSRcQ3lnEQTTBX
xkH49fN4UYrkeQITZ0byZ1FH+thiKT8lU+Jg4CQ02JfcrPWEA76q5eMda084yK4B
Ef7d/Us4e+36Nr46EqyUJFV7CqG4+DKl1zhkKq+Db1UO0v1trOjA4fGeG8gaMAr9
TmToxGClHP0=
=MZ8C
-----END PGP SIGNATURE-----