SB2019112506 - Multiple vulnerabilities in Intel Ethernet 700 Series Controllers

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2019-0150)

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in firmware. A local user can bypass implemented security restrictions and cause a denial of service (DoS) on the target system.

2) Resource exhaustion (CVE-ID: CVE-2019-0148)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a resource leak in i40e driver. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Input validation error (CVE-ID: CVE-2019-0147)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in i40e driver. A local user can cause a denial of service condition on the target system.

4) Buffer overflow (CVE-ID: CVE-2019-0145)

The vulnerability allows a local user to escalate privileges on the target system.

The vulnerability exists due to a boundary error in i40e driver. A local user can trigger memory corruption and escalate privileges on the target system.

5) Improper Handling of Exceptional Conditions (CVE-ID: CVE-2019-0144)

The vulnerability allows a local user to perform a denial of service (DoS) attack on the target system.

The vulnerability exists due to the affected software does not handle or incorrectly handles an exceptional condition in firmware. A local user can cause a denial of service condition on the target system.

6) Improper Handling of Exceptional Conditions (CVE-ID: CVE-2019-0143)

The vulnerability allows a local user to perform a denial of service (DoS) attack on the target system.

The vulnerability exists due to the affected software does not handle or incorrectly handles an exceptional condition in Kernel-mode driver. A local user can cause a denial of service condition on the target system.

7) Buffer overflow (CVE-ID: CVE-2019-0140)

The vulnerability allows a remote attacker to escalate privileges on the target system.

The vulnerability exists due to a boundary error in firmware. An attacker on adjacent network can trigger memory corruption and escalate privileges on the target system.

8) Improper access control (CVE-ID: CVE-2019-0139)

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A local user can bypass implemented security restrictions and enable an escalation of privilege, denial of service or information disclosure.

Remediation

Install update from vendor's website.

References

• https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00255.html
• https://support.f5.com/csp/article/K08441753?utm_source=f5support&utm_medium=RSS
• https://support.f5.com/csp/article/K08441753?utm_source=f5support&utm_medium=RSS