Multiple vulnerabilities in Intel PROSet/Wireless WiFi products



Published: 2020-11-11
Risk High
Patch available YES
Number of vulnerabilities 6
CVE-ID CVE-2020-12313
CVE-2020-12314
CVE-2020-12318
CVE-2020-12317
CVE-2020-12319
CVE-2017-13080
CWE-ID CWE-399
CWE-20
CWE-254
CWE-119
CWE-320
Exploitation vector Local network
Public exploit Public exploit code for vulnerability #6 is available.
Vulnerable software
Subscribe
Intel Dual Band Wireless-AC 3165
Hardware solutions / Firmware

Intel Wireless 7265 (Rev D) Family
Hardware solutions / Firmware

Intel Dual Band Wireless-AC 3168
Hardware solutions / Firmware

Intel Dual Band Wireless-AC 8265
Hardware solutions / Firmware

Intel Wireless-AC 9260
Hardware solutions / Firmware

Intel Wireless-AC 9461
Hardware solutions / Firmware

Intel Wireless-AC 9462
Hardware solutions / Firmware

Intel Wireless-AC 9560
Hardware solutions / Firmware

Intel Wi-Fi 6 AX200
Hardware solutions / Firmware

Intel Wi-Fi 6 AX201
Hardware solutions / Firmware

Intel Dual Band Wireless-AC 8260
Hardware solutions / Firmware

Vendor Intel

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Resource management error

EUVDB-ID: #VU48354

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-12313

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper management of internal resources in some Intel(R) PROSet/Wireless WiFi products before version 21.110. A remote attacker on the local network can send specially crafted traffic to the system and execute arbitrary code.

The vulnerability affects firmware on the following operating systems:

  • Windows 10
  • Linux OS
  • Chrome OS

Mitigation

Install update from vendor's  website.

Vulnerable software versions

Intel Dual Band Wireless-AC 3165: All versions

Intel Wireless 7265 (Rev D) Family: All versions

Intel Dual Band Wireless-AC 3168: All versions

Intel Dual Band Wireless-AC 8265: All versions

Intel Wireless-AC 9260: All versions

Intel Wireless-AC 9461: All versions

Intel Wireless-AC 9462: All versions

Intel Wireless-AC 9560: All versions

Intel Wi-Fi 6 AX200: All versions

Intel Wi-Fi 6 AX201: All versions

Intel Dual Band Wireless-AC 8260: 20.50.1.1 - 21.20.0


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00402.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper input validation

EUVDB-ID: #VU48355

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-12314

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in some Intel(R) PROSet/Wireless WiFi products before version 21.110. A remote attacker on the local network can send  specially crafted traffic to the system and perform a denial of service (DoS) attack.

The vulnerability affects firmware on the following operating systems:

  • Windows 10

Mitigation

Install update from vendor's  website.

Vulnerable software versions

Intel Dual Band Wireless-AC 3165: All versions

Intel Wireless 7265 (Rev D) Family: All versions

Intel Dual Band Wireless-AC 3168: All versions

Intel Dual Band Wireless-AC 8265: All versions

Intel Wireless-AC 9260: All versions

Intel Wireless-AC 9461: All versions

Intel Wireless-AC 9462: All versions

Intel Wireless-AC 9560: All versions

Intel Wi-Fi 6 AX200: All versions

Intel Wi-Fi 6 AX201: All versions

Intel Dual Band Wireless-AC 8260: 20.50.1.1 - 21.20.0


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00402.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Security restrictions bypass

EUVDB-ID: #VU48356

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-12318

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to protection mechanism failure in some Intel(R) PROSet/Wireless WiFi products before version 21.110. A local user can run a specially crafted program to execute arbitrary code with elevated privileges.

The vulnerability affects firmware on the following operating systems:

  • Windows 10

Mitigation

Install update from vendor's  website.

Vulnerable software versions

Intel Dual Band Wireless-AC 3165: All versions

Intel Wireless 7265 (Rev D) Family: All versions

Intel Dual Band Wireless-AC 3168: All versions

Intel Dual Band Wireless-AC 8265: All versions

Intel Wireless-AC 9260: All versions

Intel Wireless-AC 9461: All versions

Intel Wireless-AC 9462: All versions

Intel Wireless-AC 9560: All versions

Intel Wi-Fi 6 AX200: All versions

Intel Wi-Fi 6 AX201: All versions

Intel Dual Band Wireless-AC 8260: 20.50.1.1 - 21.20.0


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00402.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Memory corruption

EUVDB-ID: #VU48357

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-12317

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error in some Intel(R) PROSet/Wireless WiFi products before version 21.110. A remote attacker on the local network can send specially crafted traffic, trigger memory corruption to the system and execute arbitrary code.

The vulnerability affects firmware on the following operating systems:

  • Windows 10
  • Linux OS
  • Chrome OS

Mitigation


Vulnerable software versions

Intel Dual Band Wireless-AC 3165: All versions

Intel Wireless 7265 (Rev D) Family: All versions

Intel Dual Band Wireless-AC 3168: All versions

Intel Dual Band Wireless-AC 8265: All versions

Intel Wireless-AC 9260: All versions

Intel Wireless-AC 9461: All versions

Intel Wireless-AC 9462: All versions

Intel Wireless-AC 9560: All versions

Intel Wi-Fi 6 AX200: All versions

Intel Wi-Fi 6 AX201: All versions

Intel Dual Band Wireless-AC 8260: 20.50.1.1 - 21.20.0


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00402.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Resource management error

EUVDB-ID: #VU48358

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-12319

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources in some Intel(R) PROSet/Wireless WiFi products before version 21.110. A remote attacker on the local network can send specially crafted traffic to the system and perform a denial of service (DoS) attack.

The vulnerability affects firmware on the following operating systems:

  • Windows 10
  • Linux OS
  • Chrome OS

Mitigation

Install update from vendor's  website.

Vulnerable software versions

Intel Dual Band Wireless-AC 3165: All versions

Intel Wireless 7265 (Rev D) Family: All versions

Intel Dual Band Wireless-AC 3168: All versions

Intel Dual Band Wireless-AC 8265: All versions

Intel Wireless-AC 9260: All versions

Intel Wireless-AC 9461: All versions

Intel Wireless-AC 9462: All versions

Intel Wireless-AC 9560: All versions

Intel Wi-Fi 6 AX200: All versions

Intel Wi-Fi 6 AX201: All versions

Intel Dual Band Wireless-AC 8260: 20.50.1.1 - 21.20.0


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00402.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Key management errors

EUVDB-ID: #VU8840

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2017-13080

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows an adjacent attacker to force a supplicant to reinstall a previously used group key.

The weakness exists in the processing of the 802.11i 4-way handshake messages of the WPA and WPA2 protocols due to ambiguities in the processing of associated protocol messages. An adjacent attacker can use man-in-the-middle techniques to retransmit previously used message exchanges between supplicant and authenticator.

The vulnerability is dubbed "KRACK" attack.

Mitigation

Install update from vendor's  website.

Vulnerable software versions

Intel Dual Band Wireless-AC 3165: All versions

Intel Wireless 7265 (Rev D) Family: All versions

Intel Dual Band Wireless-AC 3168: All versions

Intel Dual Band Wireless-AC 8265: All versions

Intel Wireless-AC 9260: All versions

Intel Wireless-AC 9461: All versions

Intel Wireless-AC 9462: All versions

Intel Wireless-AC 9560: All versions

Intel Wi-Fi 6 AX200: All versions

Intel Wi-Fi 6 AX201: All versions

Intel Dual Band Wireless-AC 8260: 20.50.1.1 - 21.20.0


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00402.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###