-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0324
                      INTEL-SA-00280 - UEFI Advisory
                             13 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Intel Xeon Scalable Processor
                      Intel Xeon Processor
                      Intel Atom Processor
Impact/Access:        Increased Privileges     -- Existing Account
                      Denial of Service        -- Existing Account
                      Access Confidential Data -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-11137 CVE-2019-11136 
Member content until: Friday, December 13 2019

OVERVIEW

        Intel has discovered vulnerabilities in the following products:
         o Intel Xeon Scalable Processor
         o Intel Xeon Processor
         o Intel Atom Processor [1]


IMPACT

        Intel has provided the folllowing information regarding the 
        vulnerabilities:
        
        "Intel ID:                INTEL-SA-00280
        Advisory Category:        Firmware
        Impact of vulnerability : Escalation of Privilege
                                  Denial of Service
                                  Information Disclosure
        Severity rating :         HIGH
        Original release:         11/12/2019
        Last revised:             11/12/2019" [1]
        
        "CVEID: CVE-2019-11136
        Description: Insufficient access control in system firmware for 
        Intel(R) Xeon (R) Scalable Processors, 2nd Generation Intel(R) 
        Xeon(R) Scalable Processors and Intel(R) Xeon(R) Processors D Family
        may allow a privileged user to potentially enable escalation of 
        privilege, denial of service and/or information disclosure via local
        access.
        CVSS Base Score: 7.5 High
        CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
        
        CVEID: CVE-2019-11137
        Description: Insufficient input validation in system firmware for 
        Intel(R) Xeon (R) Scalable Processors, Intel(R) Xeon(R) Processors D
        Family, Intel(R) Xeon(R) Processors E5 v4 Family, Intel(R) Xeon(R) 
        Processors E7 v4 Family and Intel(R) Atom(R) processor C Series may
        allow a privileged user to potentially enable escalation of 
        privilege, denial of service and/or information disclosure via local
        access.
        CVSS Base Score: 7.5 High
        CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" [1]


MITIGATION

        Intel recommends:
        
        "...that users of Intel products listed above update to the latest 
        version provided by the system manufacturer that addresses these 
        issues." [1]


REFERENCES

        [1] INTEL-SA-00280 - UEFI Advisory
            https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00280.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXcuKjGaOgq3Tt24GAQgWdBAAtmlckdw3MaRKFVSPc2GczVxq9puXWQjn
cIpOd1oQUkUIXEYWtAZ6f7LXgZxAFiN8A3GaBmIrg/uOuWVOeLEcGd+lG9YYNiRT
Wjbq/OLr9RNfUMCd0PcAeiSS4Cm/pXtl72mfoyM9rkgEMApJhPk39CQCoDdIInqE
voKvUhQylxewGZEFnT5DYntGnGEVG5Mt9V5s6bz69TCs3/4468RSA877ngPT7ACG
xAFFr8EGha9ODDwvVgxokysJ1qxMrmjwflunxp53nUu0zEPpXkFV4XpdwBRtol2/
M1NMuqmX04abN9aQrzVP0VX4IiHWEzd9s5n1IhimpbFeqr0CZTkhuzQ6wQ1EMSsp
rLx90DqZLOcLeqzxbHNRwim/XqBA3j0UOJ5NOftmUHpG2kgM/j7/4Tme5m7WTxwP
VI7bkYX2tYLNnzw9F0539kdJoT4DuvK+pH/6I+t8w7Lew7RvdmhwQvC2Dm6wc0+J
9J+qoom7WZR7rrqPuhJ9eVTuWcllwICK3NPF7VgKPaAcP1HPG4D138yAKg62Pum5
QYFfPFJs2HxBcOmHDacb6tbGzYgHf94aGcT9NxruCxNibMSzbovILQDjl2FuXE/O
Zs3JrqJ1vdgHVYPOM3jW39FDiOQqMB4f2f7tgCt/hWzYBMOoXHJ0u1NZmkcM7P2a
u4HsLT5diNA=
=9YHI
-----END PGP SIGNATURE-----