Intel has disclosed a critical security flaw in its AI Model Compressor software that could allow hackers to execute arbitrary code on affected systems. This vulnerability, tracked as CVE-2024-22476, has been given the highest severity rating on the CVSS scale, with a score of 10. The flaw originates from improper input validation, allowing remote exploitation without the need for special privileges or user interaction. Users running versions prior to 2.5.0 are affected, and Intel has released an update to address this issue.
The AI Model Compressor is an open-source Python library used by companies to reduce the memory and computational costs of deploying AI models. It enhances inference performance and is particularly useful for deploying AI on devices with limited computational power. Despite the critical nature of this vulnerability, Intel has not specified the exact number of companies or users affected by the flaw. The issue underscores the importance of updating to the latest version of the software to ensure security.
In addition to CVE-2024-22476, Intel disclosed another vulnerability in the Neural Compressor software, tracked as CVE-2024-21792. This moderate-severity flaw is a time-of-check to time-of-use (TOCTOU) bug that could allow hackers access to unauthorized information but requires local, authenticated access to exploit. Both vulnerabilities highlight the risks associated with AI software and the need for vigilant security practices.
The disclosure also included five high-severity privilege escalation vulnerabilities in Intel’s UEFI firmware for server products. These bugs, tracked as CVE-2024-22382, CVE-2024-23487, CVE-2024-24981, CVE-2024-23980, and CVE-2024-22095, all stem from input validation flaws and have CVSS scores ranging from 7.2 to 7.5. Companies relying on Intel’s technology should take immediate action to apply the necessary updates and mitigate potential threats. Intel’s proactive approach in addressing these vulnerabilities is crucial for maintaining the security and integrity of their systems.
Reference: