#VU48679 Improper Privilege Management in Converged Security and Management Engine (CSME) and Intel Trusted Execution Engine Firmware - CVE-2020-8745


| Updated: 2020-11-26

Vulnerability identifier: #VU48679

Vulnerability risk: Low

CVSSv4.0: 3.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-8745

CWE-ID: CWE-269

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Converged Security and Management Engine (CSME)
Hardware solutions / Firmware
Intel Trusted Execution Engine Firmware
Hardware solutions / Firmware

Vendor: Intel

Description

The vulnerability allows a local attacker to escalate privileges.

The vulnerability exists due to insufficient control flow management. An attacker with physical access can escalate privileges.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Converged Security and Management Engine (CSME): before 11.8.80

Intel Trusted Execution Engine Firmware: before 3.1.80

External links
https://security.netapp.com/advisory/ntap-20201113-0002/
https://security.netapp.com/advisory/ntap-20201113-0005/
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Intel CSME, TXE and SPS