Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3733 Intel NUC M15 Laptop Kit Advisory 10 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Intel NUC M15 Laptop Kit driver pack Publisher: Intel Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-33095 CVE-2021-33094 CVE-2021-33093 CVE-2021-33092 CVE-2021-33091 CVE-2021-33088 CVE-2021-33087 Original Bulletin: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00569.html - --------------------------BEGIN INCLUDED TEXT-------------------- Intel ID: INTEL-SA-00569 Advisory Category: Software Impact of vulnerability : Escalation of Privilege, Denial of Service Severity rating : MEDIUM Original release: 11/09/2021 Last revised: 11/09/2021 Summary: Potential security vulnerabilities in the Intel NUC M15 Laptop Kit driver pack may allow denial of service or escalation of privilege. Intel is releasing software updates to mitigate these potential vulnerabilities. Vulnerability Details: CVEID: CVE-2021-33088 Description: Incorrect default permissions in the installer for the Intel(R) NUC M15 Laptop Kit Integrated Sensor Hub driver pack before version 5.4.1.4449 may allow an authenticated user to potentially enable escalation of privilege via local access. CVSS Base Score: 6.7 Medium CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVEID: CVE-2021-33091 Description: Insecure inherited permissions in the installer for the Intel(R) NUC M15 Laptop Kit audio driver pack before version 1.3 may allow an authenticated user to potentially enable escalation of privilege via local access. CVSS Base Score: 6.7 Medium CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVEID: CVE-2021-33092 Description: Incorrect default permissions in the installer for the Intel(R) NUC M15 Laptop Kit HID Event Filter driver pack before version 2.2.1.383 may allow an authenticated user to potentially enable escalation of privilege via local access. CVSS Base Score: 6.7 Medium CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVEID: CVE-2021-33093 Description: Insecure inherited permissions in the installer for the Intel(R) NUC M15 Laptop Kit Serial IO driver pack before version 30.100.2104.1 may allow an authenticated user to potentially enable escalation of privilege via local access. CVSS Base Score: 6.7 Medium CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVEID: CVE-2021-33094 Description: Insecure inherited permissions in the installer for the Intel(R) NUC M15 Laptop Kit Keyboard LED Service driver pack before version 1.0.0.4 may allow an authenticated user to potentially enable escalation of privilege via local access. CVSS Base Score: 6.7 Medium CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVEID: CVE-2021-33095 Description: Unquoted search path in the installer for the Intel(R) NUC M15 Laptop Kit Keyboard LED Service driver pack before version 1.0.0.4 may allow an authenticated user to potentially enable escalation of privilege via local access. CVSS Base Score: 6.7 Medium CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVEID: CVE-2021-33087 Description: Improper authentication in the installer for the Intel(R) NUC M15 Laptop Kit Management Engine driver pack before version 15.0.10.1508 may allow an authenticated user to potentially enable denial of service via local access. CVSS Base Score: 6.4 Medium CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:H Affected Products: Intel NUC M15 Laptop Kit - LAPBC510. Intel NUC M15 Laptop Kit - LAPBC710. Recommendations: Intel recommends updating the Intel NUC M15 Laptop Kit driver pack to version 1.1 or later. Updates are available for download at this location: https://downloadcenter.intel.com/download/30169/ Driver-Pack-for-the-Intel-NUC-M15-Laptop-Kit?wapkw=Driver-Pack-for-Intel-NUC Acknowledgements: Intel would like to thank Sahnoun Oussama (CVE-2021-33087, CVE-2021-33088) and Wael Guesmi (CVE-2021-33091, CVE-2021-33091, CVE-2021-33092, CVE-2021-33093, CVE-2021-33094, CVE-2021-33095) for reporting these issues. Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available. Revision History Revision Date Description 1.0 11/09/2021 Initial Release - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYYsfYuNLKJtyKPYoAQhLpw//S1+DjXn5/DM4oY+gPwD2oJXcSbUFURUp ZbYqanf+c1Me+Csai0XExNW8zJh4PK1EQE0NQIuutL4CS8tedvyl38Y9nDg0Ex2x 4LmQd07EaXW2JVo/993JZ+TZvLj+4DC5PtyFIAXVm0BqQdCMf3XPwUmDDcgHHkj6 5+OY1bQGgPPZJ6XA8ryRFojX/SPZphGIGL1fMzQqVrZJw7kjzz8WK56qB8dmyDOj x21BhKytzPrQvUMMT2/mNTCAloYZCGiGmTnYQJP1miA1Zi3tCR647Y3wzWeLWIA2 ydO8p/W3ZrwNYrr+HUbKb4z8F4xwhkKGF87gmMuoMhueBTuDYE0gHkQvUfiqUvUR VvcPbpj7rVzio927C4PiKe9TxaVyNtcKv/Q6LEjIahXW0ZLKjmRXZc3YS1WJmw/K Opy3GBn6ipf/5k7DPicTSjcUZPP7erSfv1FkBN4BhNAXAm+Uhx9tkxdI5tbigdtR 3C9GeKtsDY6qnuo7Pqo0xIRfg/YDR9SXa6PH7mudalKhfYLi5kgSRcQ3lnEQTTBX xkH49fN4UYrkeQITZ0byZ1FH+thiKT8lU+Jg4CQ02JfcrPWEA76q5eMda084yK4B Ef7d/Us4e+36Nr46EqyUJFV7CqG4+DKl1zhkKq+Db1UO0v1trOjA4fGeG8gaMAr9 TmToxGClHP0= =MZ8C -----END PGP SIGNATURE-----