Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1991.2 2020.1 IPU - Intel® CSME, SPS, TXE, AMT, ISM and DAL Advisory 19 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Intel CSME Intel SPS Intel TXT Intel AMT Intel ISM Intel DAL Publisher: Intel Operating System: Windows UNIX variants (UNIX, Linux, OSX) Virtualisation Network Appliance Impact/Access: Increased Privileges -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-8674 CVE-2020-0597 CVE-2020-0596 CVE-2020-0595 CVE-2020-0594 CVE-2020-0586 CVE-2020-0566 CVE-2020-0545 CVE-2020-0542 CVE-2020-0541 CVE-2020-0540 CVE-2020-0539 CVE-2020-0538 CVE-2020-0537 CVE-2020-0536 CVE-2020-0535 CVE-2020-0534 CVE-2020-0533 CVE-2020-0532 CVE-2020-0531 Original Bulletin: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00295.html Revision History: June 19 2020: Vendor updated advisory with CVE ID mapping details June 10 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Intel ID: INTEL-SA-00295 Advisory Category: Firmware, Software Impact of vulnerability: Escalation of Privilege, Denial of Service, Information Disclosure Severity rating : CRITICAL Original release: 06/09/2020 Last revised: 06/18/2020 Summary: Potential security vulnerabilities in Intel Converged Security and Manageability Engine (CSME), Intel Server Platform Services (SPS), Intel Trusted Execution Engine (TXE), Intel Active Management Technology (AMT), Intel Standard Manageability (ISM) and Intel Dynamic Application Loader (DAL) may allow escalation of privilege, denial of service or information disclosure. Intel is releasing firmware and software updates to mitigate these potential vulnerabilities. Vulnerability Details: CVEID: CVE-2020-0594 Description: Out-of-bounds read in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable escalation of privilege via network access. CVSS Base Score: 9.8 Critical CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVEID: CVE-2020-0595 Description: Use after free in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable escalation of privilege via network access. CVSS Base Score: 9.8 Critical CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVEID: CVE-2020-0586 Description: Improper initialization in subsystem for Intel(R) SPS versions before SPS_E3_04.01.04.109.0 and SPS_E3_04.08.04.070.0 may allow an authenticated user to potentially enable escalation of privilege and/or denial of service via local access. CVSS Base Score: 8.4 High CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H CVEID: CVE-2020-0542 Description: Improper buffer restrictions in subsystem for Intel(R) CSME versions before 12.0.64, 13.0.32, 14.0.33 and 14.5.12 may allow an authenticated user to potentially enable escalation of privilege, information disclosure or denial of service via local access. CVSS Base Score: 7.8 High CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVEID: CVE-2020-0596 Description: Improper input validation in DHCPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable information disclosure via network access. CVSS Base Score: 7.5 High CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVEID: CVE-2020-0538 Description: Improper input validation in subsystem for Intel(R) AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable denial of service via network access. CVSS Base Score: 7.5 High CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVEID: CVE-2020-0534 Description: Improper input validation in the DAL subsystem for Intel(R) CSME versions before 12.0.64, 13.0.32, 14.0.33 and 14.5.12 may allow an unauthenticated user to potentially enable denial of service via network access. CVSS Base Score: 7.5 High CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVEID: CVE-2020-0533 Description: Reversible one-way hash in Intel(R) CSME versions before 11.8.76, 11.12.77 and 11.22.77 may allow a privileged user to potentially enable escalation of privilege, denial of service or information disclosure via local access. CVSS Base Score: 7.5 High CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVEID: CVE-2020-0566 Description: Improper Access Control in subsystem for Intel(R) TXE versions before 3.175 and 4.0.25 may allow an unauthenticated user to potentially enable escalation of privilege via physical access. CVSS Base Score: 7.3 High CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N CVEID: CVE-2020-0532 Description: Improper input validation in subsystem for Intel(R) AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable denial of service or information disclosure via adjacent access. CVSS Base Score: 7.1 High CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVEID: CVE-2020-0541 Description: Out-of-bounds write in subsystem for Intel(R) CSME versions before 12.0.64, 13.0.32, 14.0.33 and 14.5.12 may allow a privileged user to potentially enable escalation of privilege via local access. CVSS Base Score: 6.7 Medium CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVEID: CVE-2020-0597 Description: Out-of-bounds read in IPv6 subsystem in Intel(R) AMT and Intel(R) ISM versions before 14.0.33 may allow an unauthenticated user to potentially enable denial of service via network access. CVSS Base Score: 6.5 Medium CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVEID: CVE-2020-0531 Description: Improper input validation in Intel(R) AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an authenticated user to potentially enable information disclosure via network access. CVSS Base Score: 6.5 Medium CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVEID: CVE-2020-0535 Description: Improper input validation in Intel(R) AMT versions before 11.8.76, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable information disclosure via network access. CVSS Base Score: 5.3 Medium CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVEID: CVE-2020-0540 Description: Insufficiently protected credentials in Intel(R) AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow an unauthenticated user to potentially enable information disclosure via network access. CVSS Base Score: 5.3 Medium CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVEID: CVE-2020-0536 Description: Improper input validation in the DAL subsystem for Intel(R) CSME versions before 11.8.77, 11.12.77, 11.22.77, 12.0.64, 13.0.32,14.0.33 and Intel TXE versions before 3.1.75 and 4.0.25 may allow an unauthenticated user to potentially enable information disclosure via network access. CVSS Base Score: 5.3 Medium CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVEID: CVE-2020-0537 Description: Improper input validation in subsystem for Intel(R) AMT versions before 11.8.77, 11.12.77, 11.22.77 and 12.0.64 may allow a privileged user to potentially enable denial of service via network access. CVSS Base Score: 4.9 Medium CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVEID: CVE-2020-0545 Description: Integer overflow in subsystem for Intel(R) CSME versions before 11.8.77, 11.12.77, 11.22.77 and Intel TXE versions before 3.1.75, 4.0.25 and Intel(R) Server Platform Services (SPS) versions before SPS_E5_04.01.04.380.0, SPS_SoC-X_04.00.04.128.0, SPS_SoC-A_04.00.04.211.0, SPS_E3_04.01.04.109.0, SPS_E3_04.08.04.070.0 may allow a privileged user to potentially enable denial of service via local access. CVSS Base Score: 4.4 Medium CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVEID: CVE-2020-8674 Description: Out-of-bounds read in DHCPv6 subsystem in Intel(R) AMT and Intel (R) ISM versions before 11.8.77, 11.12.77, 11.22.77, 12.0.64 and 14.0.33 may allow an unauthenticated user to potentially enable information disclosure via network access. CVSS Base Score: 4.3 Medium CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVEID: CVE-2020-0539 Description: Path traversal in subsystem for Intel(R) DAL software for Intel(R) CSME versions before 11.8.77, 11.12.77, 11.22.77, 12.0.64, 13.0.32, 14.0.33 and Intel(R) TXE versions before 3.1.75, 4.0.25 may allow an unprivileged user to potentially enable denial of service via local access. CVSS Base Score: 3.3 Low CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Affected Products: Intel CSME Versions 11.0through 11.8.76, 11.10through 11.12.76, 11.20through 11.22.76, 12.0through 12.0.63, 13.0through 13.0.31, 14.0through 14.0.32, 14.5.11. Intel CSME, Intel AMT, Intel ISM, Intel DAL and Intel DAL Software before versions 11.8.77, 11.12.77, 11.22.77, 12.0.64, 13.0.32, 14.0.33, 14.5.12: +--------------------------------------------+--------------------------------------------+ |Updated Version |Replaces Version | +--------------------------------------------+--------------------------------------------+ |11.8.77 |11.0through 11.8.76 | +--------------------------------------------+--------------------------------------------+ |11.11.77 |11.10through 11.11.76 | +--------------------------------------------+--------------------------------------------+ |11.22.77 |11.20through 11.22.76 | +--------------------------------------------+--------------------------------------------+ |12.0.64 |12.0through 12.0.63 | +--------------------------------------------+--------------------------------------------+ |13.0.32 or higher |13.0.31 | +--------------------------------------------+--------------------------------------------+ |14.0.33 or higher |14.0.32 | +--------------------------------------------+--------------------------------------------+ |14.5.12 or higher |14.5.11 | +--------------------------------------------+--------------------------------------------+ Intel Server Platform Services firmware before versions SPS_E5_04.01.04.380.0, SPS_SoC-X_04.00.04.128.0, SPS_SoC-A_04.00.04.211.0, SPS_E3_04.01.04.109.0, SPS_E3_04.08.04.070.0: +--------------------------------------------+--------------------------------------------+ |Updated Version |Replaces Version | +--------------------------------------------+--------------------------------------------+ |SPS_E5_04.01.04.380.0 |SPS_E5_04.00.00.000.0 through | | | | | |SPS_E5_04.01.04.379.0 | +--------------------------------------------+--------------------------------------------+ |SPS_SoC-X_04.00.04.128.0 |SPS_SoC-X_04.00.00.000.0 through | | | | | |SPS_SoC-X_04.00.04.127.0 | +--------------------------------------------+--------------------------------------------+ |SPS_SoC-A_04.00.04.211.0 |SPS_SoC-A_04.00.00.000.0 through | | | | | |SPS_SoC-A_04.00.04.210.0 | +--------------------------------------------+--------------------------------------------+ |SPS_E3_04.01.04.109.0 |SPS_E3_04.00.00.000.0 through | | | | | |SPS_E3_04.01.04.103.0 | +--------------------------------------------+--------------------------------------------+ |SPS_E3_04.08.04.070.0 |SPS_E3_04.08.00.000.0 through | | | | | |SPS_E3_04.08.04.065.0 | +--------------------------------------------+--------------------------------------------+ |SPS_E5_04.01.04.380.0 |SPS_E5_04.00.00.000.0 through | | | | | |SPS_E5_04.01.04.379.0 | +--------------------------------------------+--------------------------------------------+ Intel TXE: +--------------------------------------------+--------------------------------------------+ |Updated Version |Replaces Version | +--------------------------------------------+--------------------------------------------+ |3.1.75 |3.0through 3.1.70 | +--------------------------------------------+--------------------------------------------+ |4.0.25 |4.0through 4.0.20 | +--------------------------------------------+--------------------------------------------+ The following CVEs assigned by Intel, correspond to a subset of the CVEs disclosed on 6/16/2020 as part of VU#257161 : +--------------------------------------------+--------------------------------------------+ |Disclosed in INTEL-SA-00295 |Disclosed in VU#257161 | +--------------------------------------------+--------------------------------------------+ |CVE-2020-0594 |CVE-2020-11899 | | | | |CVE-2020-0597 | | +--------------------------------------------+--------------------------------------------+ |CVE-2020-0595 |CVE-2020-11900 | +--------------------------------------------+--------------------------------------------+ |CVE-2020-8674 |CVE-2020-11905 | +--------------------------------------------+--------------------------------------------+ The remaining CVEs disclosed in VU#257161 have been assessed and found to be not applicable to Intel Products. Note: Firmware versions of Intel ME 3.x thru 10.x, Intel TXE 1.x thru 2.x and Intel Server Platform Services 1.x thru 2.X are no longer supported, thus were not assessed for the vulnerabilities/CVEs listed in this Technical Advisory. There is no new release planned for these versions. Recommendations: Intel recommends that users of Intel CSME, Intel SPS, Intel TXE, Intel AMT, Intel ISM and Intel DAL update to the latest versions provided by the system manufacturer that address these issues. Acknowledgements: Intel would like to thank Mark Ermolov, Dmitry Sklyarov from Positive Technologies, and Maxim Goryachy (independent) (CVE-2020-0566), Eran Shimony (CVE-2020-0539), Shlomi Oberman from JSOF (CVE-2020-8674), and an Intel Partner (CVE-2020-0545) for reporting these issues. CVE-2020-0594, CVE-2020-0595, CVE-2020-0596, and CVE-2020-0597 were also found externally. The additional issues were found internally by Intel employees. Intel would like to thank Arie Haenel, Chaya Vayzer, Moshe Wagner, Nir Ben Yosef, Piotr Skierkowski, Yaakov Cohen, Yanai Moyal, and Yossef Kuszer. Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available. Revision History Revision Date Description 1.0 06/09/2020 Initial Release 1.1 06/16/2020 Updated Acknowledgements 1.2 06/18/2020 Added CVE ID mapping to VU#257161 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXuwG4eNLKJtyKPYoAQj5kA//bzvg0Xu0l2OIMCC/CeHPj7Z2KKmDWSqH cO64EHrFsSCtqiCpuSV1hkEZRgHK8bzvT4X7wOEc7crnk9FfMsWnCW7Uvm26QRYQ dYHyvCA4zt1aFgysRNXnnNl8rTpneV2UwmCP2nHD9LJ6c3QAoz+58S3HkVkBSqD2 q/7Rxhlc6H9lAYhQSFgkQsaKOZPjEAwFc0YheoNz0LgZsjeePkQzsSNsOnbscf3i r0Zf1N5rkpHvKxYKOY8D1sCidtC7bXJXVZFUWxYb0RryvYT9VPdOKu/t8zMUtg/G tYezCjXZ/iyBpm7e7sbJJ1v9N0ZLAtFCi/VcTLJ7BXVDvaqbk4opiTZ4D92TkwwE H5ThgQfxygXlMez37Uyl/VUWWhvA3/97PIG86yVcSqfk9uv7MNqRpbSMJz8dnD+G Dlq2jDUVD6TfkBEo6fq+W5IkjvJAJXIFO6YBdWq7/ktAw0T0ab4navRiwJdkk2nI 4bxGS0Fd2NCJ+j9nd2C8Cr4f5Sa4twM+adT190ApfVORlH2cy2plQyJIi3wqsIIE ysE706S//9lohyJOBmyThcL+OIPdo+LaOfzkeis7EBGLjnk6x1YJLTfD2TGb/Szi H1F/3FS6Oe+MT7JuaGsNO9WMvX5i/QpqQgmGSeGjCBPqvdl5KnY3b4Grl++lQola 8DCq5I4znN4= =oW5/ -----END PGP SIGNATURE-----