Multiple vulnerabilities in Intel processors



Published: 2022-05-17
Risk Low
Patch available YES
Number of vulnerabilities 11
CVE-ID CVE-2021-0154
CVE-2021-0153
CVE-2021-33123
CVE-2021-0190
CVE-2021-33122
CVE-2021-0189
CVE-2021-33124
CVE-2021-33103
CVE-2021-0159
CVE-2021-0188
CVE-2021-0155
CWE-ID CWE-20
CWE-787
CWE-284
CWE-248
CWE-691
CWE-823
CWE-441
CWE-466
CWE-252
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Intel Xeon Processor E Family
Hardware solutions / Firmware

Intel Xeon Processor E3 v6 Family
Hardware solutions / Firmware

Intel Xeon Processor E7 v4 Family
Hardware solutions / Firmware

Intel Xeon D Processors
Hardware solutions / Firmware

Intel Xeon Processor E5 v4 Family
Hardware solutions / Firmware

Intel Core X-series Processors
Hardware solutions / Firmware

2nd Generation Intel Xeon Scalable Processors
Hardware solutions / Firmware

3rd Generation Intel Xeon Scalable Processors
Hardware solutions / Firmware

10th Generation Intel Core Processors
Hardware solutions / Firmware

8th Generation Intel Core Processors
Hardware solutions / Firmware

7th Generation Intel Core Processors
Hardware solutions / Firmware

Intel Core X-series Processor
Hardware solutions / Firmware

Intel Xeon W Processors
Hardware solutions / Firmware

Intel Xeon Processor E3 v5 Family
Hardware solutions / Firmware

Intel Core Processors with Intel Hybrid Technology
Hardware solutions / Firmware

Intel Pentium Silver N6000 Processors
Hardware solutions / Firmware

Intel Celeron N4000 Processors
Hardware solutions / Firmware

Intel Pentium Silver N5000 Processors
Hardware solutions / Firmware

11th Generation Intel Core Processors
Hardware solutions / Firmware

Rocket Lake Xeon
Hardware solutions / Other hardware appliances

9th Generation Intel Core Processors
Client/Desktop applications / Web browsers

Vendor Intel

Security Bulletin

This security bulletin contains information about 11 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU63081

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0154

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the BIOS firmware. A local user can escalate privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel Xeon Processor E Family: All versions

Intel Xeon Processor E3 v6 Family: All versions

Intel Xeon Processor E7 v4 Family: All versions

Intel Xeon D Processors: All versions

Intel Xeon Processor E5 v4 Family: All versions


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00601.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Out-of-bounds write

EUVDB-ID: #VU63082

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0153

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the BIOS firmware. A local user can  run a specially crafted program to trigger an out-of-bounds write and execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel Xeon Processor E5 v4 Family: All versions

Intel Core X-series Processors: All versions


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00601.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Improper access control

EUVDB-ID: #VU63083

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-33123

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system

The vulnerability exists due to improper access restrictions in the BIOS authenticated code module. A local user can obtain elevated privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

2nd Generation Intel Xeon Scalable Processors: All versions

Intel Xeon D Processors: All versions

Rocket Lake Xeon: All versions

3rd Generation Intel Xeon Scalable Processors: All versions

9th Generation Intel Core Processors: All versions

10th Generation Intel Core Processors: All versions

8th Generation Intel Core Processors: All versions

7th Generation Intel Core Processors: All versions

Intel Core X-series Processor: All versions

Intel Xeon W Processors: All versions

Intel Xeon Processor E Family: All versions

Intel Xeon Processor E3 v6 Family: All versions

Intel Xeon Processor E3 v5 Family: All versions

Intel Xeon Processor E7 v4 Family: All versions

Intel Xeon Processor E5 v4 Family: All versions


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00601.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Uncaught Exception

EUVDB-ID: #VU63099

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0190

CWE-ID: CWE-248 - Uncaught Exception

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to uncaught exception in the BIOS firmware. A local user can run a specially crafted program to execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel Xeon Processor E5 v4 Family: All versions

Intel Core X-series Processor: All versions


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00601.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Insufficient Control Flow Management

EUVDB-ID: #VU63175

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-33122

CWE-ID: CWE-691 - Insufficient Control Flow Management

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient control flow management in the BIOS firmware. A local user can run a specially crafted program to execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Rocket Lake Xeon: All versions

Intel Core Processors with Intel Hybrid Technology: All versions

10th Generation Intel Core Processors: All versions

Intel Pentium Silver N6000 Processors: All versions

Intel Celeron N4000 Processors: All versions

Intel Pentium Silver N5000 Processors: All versions

9th Generation Intel Core Processors: All versions

11th Generation Intel Core Processors: All versions


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00601.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Use of Out-of-range Pointer Offset

EUVDB-ID: #VU63176

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0189

CWE-ID: CWE-823 - Use of Out-of-range Pointer Offset

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to use of out-of-range pointer offset in the BIOS firmware. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

2nd Generation Intel Xeon Scalable Processors: All versions

Intel Xeon Processor E Family: All versions

Intel Xeon Processor E3 v6 Family: All versions

Intel Xeon Processor E3 v5 Family: All versions

Intel Xeon Processor E7 v4 Family: All versions


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00601.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Out-of-bounds write

EUVDB-ID: #VU63177

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-33124

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the BIOS authenticated code module. A local user can run a specially crafted program to trigger an out-of-bounds write error and execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

2nd Generation Intel Xeon Scalable Processors: All versions

Intel Xeon D Processors: All versions

Rocket Lake Xeon: All versions

3rd Generation Intel Xeon Scalable Processors: All versions

10th Generation Intel Core Processors: All versions

9th Generation Intel Core Processors: All versions

8th Generation Intel Core Processors: All versions

7th Generation Intel Core Processors: All versions

Intel Core X-series Processors: All versions

Intel Xeon W Processors: All versions

Intel Xeon Processor E Family: All versions

Intel Xeon Processor E3 v6 Family: All versions

Intel Xeon Processor E3 v5 Family: All versions

Intel Xeon Processor E7 v4 Family: All versions

Intel Xeon Processor E5 v4 Family: All versions


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00601.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Unintended proxy or intermediary

EUVDB-ID: #VU63178

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-33103

CWE-ID: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to presence of an unintended proxy in the BIOS authenticated code module. A local user can execute arbitrary code with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Rocket Lake Xeon: All versions

10th Generation Intel Core Processors: All versions

9th Generation Intel Core Processors: All versions

11th Generation Intel Core Processors: All versions


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00601.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Input validation error

EUVDB-ID: #VU63179

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0159

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input in the BIOS authenticated code module. A local user can pass specially crafted data to the affected module and execute arbitrary code on the system with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

2nd Generation Intel Xeon Scalable Processors: All versions

3rd Generation Intel Xeon Scalable Processors: All versions


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00601.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Return of pointer value outside of expected range

EUVDB-ID: #VU63180

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0188

CWE-ID: CWE-466 - Return of pointer value outside of expected range

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to a boundary error in the BIOS firmware. A local user can force the firmware to return pointer value outside of expected range and gain access to potentially sensitive information.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel Xeon Processor E3 v6 Family: All versions

Intel Xeon Processor E3 v5 Family: All versions


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00601.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Unchecked Return Value

EUVDB-ID: #VU63181

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-0155

CWE-ID: CWE-252 - Unchecked Return Value

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to unchecked return value in the BIOS firmware. A local user can gain access to potentially sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Intel Xeon D Processors: All versions

Intel Core X-series Processors: All versions

Intel Xeon Processor E7 v4 Family: All versions

Intel Xeon Processor E5 v4 Family: All versions


CPE2.3 External links

http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00601.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###