Intel and AMD have each informed customers about dozens of vulnerabilities found and patched in their products.
Intel has published 43 new advisories that cover a total of roughly 70 security holes. Nine advisories describe high-severity vulnerabilities.
The high-severity flaws impact products such as Intel Core Ultra and other processors, SMI Transfer monitor (STM), Agilex FPGA firmware, the TDX system, NUC BIOS firmware, Ethernet Controllers and Adapters, UEFI Integrator Tools on Aptio V for Intel NUC, and Server Board S2600ST firmware.
Exploitation of these vulnerabilities can lead to privilege escalation, information disclosure, and denial-of-service (DoS) attacks.
Medium-severity vulnerabilities have been patched by Intel in hardware, software and technologies such as IPP, EMON, VTune Profiler, License Manager for FLEXlm, Quartus Prime Pro Edition, MAS, BMRA, CSME, PROSet, AMT, TDX, Xeon and Xeon Scalable, oneAPI Compiler, oneAPI Math Kernel Library, VROC, Distribution for GDB, OpenBMC, ISH, and HID Event Filter.
Vulnerabilities have also been resolved in Intel’s Data Center GPU Max Series, Unite, Connectivity Performance Suite, FPGA SDK for OpenCL, GPA, Ethernet Adapter Driver Pack, Flexlm License Daemons for FPGA, Advisor, CIP, High Level Synthesis Compiler, IPP Cryptography, MPI Library, Arc & Iris Xe, Simics Package Manager, and Trace Analyzer and Collector.
Exploitation can in a majority of cases lead to escalation of privileges, and a few security bugs can be leveraged for DoS attacks.
Many of the vulnerabilities were discovered internally by Intel employees.
AMD published eight new advisories on Patch Tuesday to inform customers about 46 vulnerabilities.
One advisory addresses research conducted by Iowa State University and Google on ‘SMaCK’, a new attack method that can be used, similar to Spectre, to obtain potentially sensitive information. However, AMD said it has not identified any novel vulnerabilities and instead the research describes new methods for exploiting existing flaws.
Another advisory addresses research published in January, which focuses on exploiting uninitialized register accesses in modern GPUs.
“AMD plans to create a new operating mode designed to prevent processes from running in parallel on the GPU, and to clear registers between processes on supported products. This mode would be designed to be set by an administrator and not enabled by default,” AMD said.
The chipmaker has informed customers about high-severity vulnerabilities that can lead to privilege escalation and arbitrary code execution in the μProf software profiling analysis tool, and AMD Secure Processor (ASP), Secure Encrypted Virtualization (SEV), and Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP) technologies.
Medium- and low-severity issues have been identified in graphics products and Zynq UltraScale+ MPSoCs.
Related: Chipmaker Patch Tuesday: Intel, AMD Address New Microarchitectural Vulnerabilities
Related: Chipmaker Patch Tuesday: Intel, AMD Address Over 130 Vulnerabilities
