#VU29001 Integer overflow in Intel products - CVE-2020-0545
Published: June 12, 2020
Vulnerability identifier: #VU29001
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-0545
CWE-ID: CWE-190
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Converged Security and Management Engine (CSME)
Intel Trusted Execution Engine Firmware
Intel Server Platform Services Firmware
Converged Security and Management Engine (CSME)
Intel Trusted Execution Engine Firmware
Intel Server Platform Services Firmware
Software vendor:
Intel
Intel
Description
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in subsystem. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.
Note: This vulnerability affects the following versions of Intel CSME, TXE and SPS:
CSME:
- 11.0 through 11.8.76
- 11.20 through 11.22.76
- 11.10 through 11.12.76
- 3.0 through 3.1.70
- 4.0 through 4.0.20
- SPS_E5_04.00.00.000.0 through SPS_E5_04.01.04.379.0
- SPS_SoC-X_04.00.00.000.0 through SPS_SoC-X_04.00.04.127.0
- SPS_SoC-A_04.00.00.000.0 through SPS_SoC-A_04.00.04.210.0
- SPS_E3_04.00.00.000.0 through SPS_E3_04.01.04.103.0
- SPS_E3_04.08.00.000.0 through SPS_E3_04.08.04.065.0
Remediation
Install updates from vendor's website.