SB2021021013 - Multiple vulnerabilities in Intel Server Boards, Server Systems and Compute Modules

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021021013

SB2021021013 - Multiple vulnerabilities in Intel Server Boards, Server Systems and Compute Modules

Published: February 10, 2021 Updated: June 21, 2021

Security Bulletin ID SB2021021013
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 vulnerabilities.


1) Buffer overflow (CVE-ID: CVE-2020-12373)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the BMC firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.47. A local privileged user can  trigger memory corruption and execute arbitrary code on the target system with elevated privileges.



2) Improper input validation (CVE-ID: CVE-2020-12377)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a improper input validation in the BMC firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.47. A local privileged user can  execute arbitrary code on the target system with elevated privileges.



3) Out-of-bounds read (CVE-ID: CVE-2020-12380)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the BMC firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.47. A local user can trigger out-of-bounds read error and escalate privileges on the system.



4) Heap-based buffer overflow (CVE-ID: CVE-2020-12375)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the BMC firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.47. A local user can a heap-based buffer overflow and execute arbitrary code on the target system with elevated privileges.



5) Use of hard-coded cryptographic key (CVE-ID: CVE-2020-12376)

CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user gain access to sensitive information.

The vulnerability exists due to usage of a hard-coded key in the BMC firmware for some Intel(R) Server Boards, Server Systems and Compute Modules before version 2.47.A local user can gain access to sensitive information on the system.

Remediation

Install update from vendor's website.

References