An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the IPv6 component allows an unauthenticated remote attacker to cause an Out of Bounds Write, and possibly a Denial of Service via network access.
{"id": "CVE-2020-27337", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-27337", "description": "An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the IPv6 component allows an unauthenticated remote attacker to cause an Out of Bounds Write, and possibly a Denial of Service via network access.", "published": "2020-12-22T22:15:00", "modified": "2021-07-21T11:39:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27337", "reporter": "cve@mitre.org", "references": ["https://treck.com/vulnerability-response-information/", "https://security.netapp.com/advisory/ntap-20210201-0003/"], "cvelist": ["CVE-2020-27337"], "immutableFields": [], "lastseen": "2022-03-23T16:29:59", "viewCount": 85, "enchantments": {"dependencies": {"references": [{"type": "f5", "idList": ["F5:K44834280"]}, {"type": "hp", "idList": ["HP:C06990695"]}, {"type": "ics", "idList": ["ICSA-20-353-01"]}, {"type": "intel", "idList": ["INTEL:INTEL-SA-00391"]}, {"type": "nessus", "idList": ["ARUBAOS-SWITCH_ARUBA-PSA-2021-003.NASL"]}, {"type": "thn", "idList": ["THN:16FE02C52CCB308E7739CDE97FA32A3C"]}]}, "score": {"value": 5.5, "vector": "NONE"}, "twitter": {"counter": 10, "modified": "2021-02-03T00:31:06", "tweets": [{"link": "https://twitter.com/threatintelctr/status/1375273911890370560", "text": " NEW: CVE-2020-27337 An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the IPv6 component allows an unauthenticated remote attacker to cause an Out of Bounds Write, and possibly... (click for more) Severity: HIGH https://t.co/4BQHvWruxt?amp=1"}, {"link": "https://twitter.com/vigilance_en/status/1343680392205914113", "text": "Vigil@nce /hashtag/Vulnerability?src=hashtag_click of HPE ProLiant: memory corruption via iLO. https://t.co/wjE3JD61RE?amp=1 Identifiers: /hashtag/CVE?src=hashtag_click-2020-27337. /hashtag/bulletin?src=hashtag_click"}, {"link": "https://twitter.com/WolfgangSesin/status/1341810875699761153", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-27337 (ipv6)) has been published on https://t.co/D2390P7ClM?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1349187053439885316", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (Multiple Treck vulnerabilities CVE-2020-25066, CVE-2020-27336, CVE-2020-27337, and CVE-2020-27338) has been published on https://t.co/TAl4ZGk0re?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1341678955653451776", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (Treck IPv6 prior 6.0.1.68 out-of-bounds write [CVE-2020-27337]) has been published on https://t.co/UZlhQVBJAx?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1341810874533732354", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2020-27337 (ipv6)) has been published on https://t.co/Zoxf64XEUy?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1349187045844004866", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (Multiple Treck vulnerabilities CVE-2020-25066, CVE-2020-27336, CVE-2020-27337, and CVE-2020-27338) has been published on https://t.co/NhSJ8KE3DO?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1375281456851771394", "text": " NEW: CVE-2020-27337 An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the IPv6 component allows an unauthenticated remote attacker to cause an Out of Bounds Write, and possibly... (click for more) Severity: HIGH https://t.co/4BQHvW9T8T?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1341678949726900224", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (Treck IPv6 prior 6.0.1.68 out-of-bounds write [CVE-2020-27337]) has been published on https://t.co/t5wI0JLzM0?amp=1"}, {"link": "https://twitter.com/vigilance_fr/status/1343680387696963588", "text": "Vigil@nce /hashtag/Vuln\u00e9rabilit\u00e9?src=hashtag_click de HPE ProLiant : corruption de m\u00e9moire via iLO. https://t.co/Mowv9Sw5Qy?amp=1 R\u00e9f\u00e9rences : /hashtag/CVE?src=hashtag_click-2020-27337. /hashtag/bulletin?src=hashtag_click"}]}, "backreferences": {"references": [{"type": "f5", "idList": ["F5:K44834280"]}, {"type": "hp", "idList": ["HP:C06990695"]}, {"type": "nessus", "idList": ["ARUBAOS-SWITCH_ARUBA-PSA-2021-003.NASL"]}, {"type": "thn", "idList": ["THN:16FE02C52CCB308E7739CDE97FA32A3C"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "treck ipv6", "version": 6}]}, "vulnersScore": 5.5}, "_state": {"dependencies": 1659988328, "score": 1659893617, "affected_software_major_version": 1671593568}, "_internal": {"score_hash": "c45ca9a4c5702ea8481250ffc01b378a"}, "cna_cvss": {"cna": "MITRE", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "score": 7.3}}}, "cpe": [], "cpe23": [], "cwe": ["CWE-787", "CWE-20"], "affectedSoftware": [{"cpeName": "treck:ipv6", "version": "6.0.1.68", "operator": "lt", "name": "treck ipv6"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:treck:ipv6:6.0.1.68:*:*:*:*:*:*:*", "versionEndExcluding": "6.0.1.68", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://treck.com/vulnerability-response-information/", "name": "https://treck.com/vulnerability-response-information/", "refsource": "CONFIRM", "tags": ["Vendor Advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20210201-0003/", "name": "https://security.netapp.com/advisory/ntap-20210201-0003/", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}]}
{"nessus": [{"lastseen": "2023-01-11T14:49:58", "description": "According to its self-reported version number the remote host is affected by a memory corruption vulnerability. An unauthenticated, remote host can exploit this to disclose sensitive information / memory contents or execute arbitrary code.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2021-06-14T00:00:00", "type": "nessus", "title": "ArubaOS-Switch Memory Corruption Vulnerability (ARUBA-PSA-2021-003)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-27337"], "modified": "2021-07-01T00:00:00", "cpe": ["cpe:/o:arubanetworks:arubaos", "cpe:/o:hp:arubaos", "x-cpe:/o:arubanetworks:arubaos-switch"], "id": "ARUBAOS-SWITCH_ARUBA-PSA-2021-003.NASL", "href": "https://www.tenable.com/plugins/nessus/150752", "sourceData": "#TRUSTED 49025e4e43c18d558f76d2ff0ac15b169d35f3bc47ce5b20eb75f602bcb4fc778fb50ed1fadd80c869d1180067d2e26c14b5d6d2604afec81fc2983d84e9458fc674029912fb1b0d87fe8e6597fc3c87356bc24ebb279b78e9715fe88a4940fce85ddcb1dd6944f8f9c4a739efa5ee078df75ce1c5c28598d7929576279af626e4b8aa4312f4c491245048ec5e9a6e029ceb17358493448593669cc347751624a1f7c15cb63ee54f8657d97eb284d768e7112acda02ccbd85f3feab1f382ca69afc11a83f8818ee8fc7578ffe6a2125592805078908537b1a10f1e84b91306001496e128113cb6c360fe4fc4a138a4de518423560a557724bdc77f9e614534fe24f7560b6fd76e1d97368394c744992772073f9ae0325ecaca24e57f774378abbabafa6e29875516d8d3a2fa852e0edcbc93455efe5190b1cc4e305d01f1cf3aef05786f755152affa7b73645ebdfa04f60f1a5571faf772aae4f9b898d175b42bfa244a61d000266b0fc206395604759f588227fadef2456ef845c29372ad0a2e3bcc62944555d931d75feb946e3068d399a5b698291b1b91abd282c60592dc19bec071077e884efcca36407064c5c7253083406ded31def4ce9cd0d41644c514abe35731ebf3fc0114991875a3ea4593860ca4e759b135053de8bad9ae72f83cac4d857c0b4b3351cdc379a79826d3962cd392556d79ecfb10e8ab14c09550\n#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150752);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/01\");\n\n script_cve_id(\"CVE-2020-27337\");\n\n script_name(english:\"ArubaOS-Switch Memory Corruption Vulnerability (ARUBA-PSA-2021-003)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by a memory corruption vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number the remote host is affected by a memory corruption vulnerability. An \nunauthenticated, remote host can exploit this to disclose sensitive information / memory contents or execute arbitrary \ncode.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-003.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant ArubaOS-Switch version as referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-27337\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/06/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:arubanetworks:arubaos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:arubaos\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:arubanetworks:arubaos-switch\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"arubaos_installed.nbin\", \"arubaos_detect.nbin\");\n script_require_ports(\"installed_sw/ArubaOS\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::aruba::combined_get_app_info(os_flavour:'ArubaOS-Switch');\nvar model = app_info['Model'];\nif (empty_or_null(model) && report_paranoia < 2)\n audit(AUDIT_POTENTIAL_VULN, 'ArubaOS-Switch', app_info.version);\n\n\nvar constraints = [];\n\nif (model =~ \"54[0-9]{2}R\\s*zl2\" || model =~ \"3810M\" || model =~ \"2930[FM]\" || model =~ \"2920\" || model =~ \"2530\")\n{\n constraints = [\n {'min_version':'0.0', 'fixed_version':'16.08.0019'},\n {'min_version':'16.09', 'fixed_version':'16.09.0015'},\n {'min_version':'16.10', 'fixed_version':'16.10.0012'}\n ];\n}\nelse if (model =~ \"5400R\\s*zl1\")\n{\n constraints = [{'fixed_version':'16.02.0032'}];\n}\nelse if (model =~ \"3800\" || model =~ \"2620\")\n{\n constraints = [{'fixed_version':'16.04.0022'}];\n}\nelse if (model =~ \"2[69]15\")\n{\n constraints = [{'fixed_version':'15.16.0023'}];\n}\nelse if (model =~ \"62[0-9]{2}\\s*yl\" || model =~ \"82[0-9]{2}\\s*zl\")\n{\n constraints = [{'fixed_version':'15.18.0024'}];\n}\nelse if (model =~ \"35[0-9]{2}(\\s*yl)?\")\n{\n constraints = [{'fixed_version':'16.02.0032'}];\n}\nelse if (!empty_or_null(model))\n{\n audit(AUDIT_DEVICE_NOT_VULN, model);\n}\nelse # Paranoid, no model case = flag widest possible range\n{\n constraints = [\n {'min_version':'0.0', 'fixed_version':'16.08.0019'},\n {'min_version':'16.09', 'fixed_version':'16.09.0015'},\n {'min_version':'16.10', 'fixed_version':'16.10.0012'}\n ];\n}\n\n#\u00c2\u00a0Only vuln if IPv6 enabled.\nvar config = get_kb_item('Secret/Host/Aruba/show_running-config');\nif (empty_or_null(config)) \n{\n if (report_paranoia < 2)\n audit(AUDIT_POTENTIAL_VULN, 'ArubaOS-Switch');\n} \nelse if (!preg(string:config, pattern:\"\\s*ipv6 enable\", multiline:TRUE))\n audit(AUDIT_OS_CONF_NOT_VULN, app_info.app, app_info.version);\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hp": [{"lastseen": "2021-09-21T01:06:03", "description": "## Potential Security Impact\nDenial of Service\n\n**Source:** HP, HP Product Security Response Team (PSRT)\n\n\n## VULNERABILITY SUMMARY\nHP has identified a potential security vulnerability with the IPv6 network\nstack of certain HP and Samsung branded printers that could result in a denial\nof service.\n\n\n## RESOLUTION\nHP is actively investigating the referenced potential security vulnerability.\nPlease subscribe to HP Security Bulletin alerts as described below for further\nupdates on the issue. The current recommendation to help mitigate potential\nexploitation of the vulnerability is to disable IPv6 on the printer.\n\nTo disable IPv6, access the Embedded Web Server (EWS) on the printer, and then\nselect Enable IPv4 only as illustrated below.\n\n\n\nFor more information on accessing the EWS, refer to [HP Printers - Using the\nHP Printer Embedded Web Server (EWS)](/us-en/document/c01123173).\n\n", "cvss3": {}, "published": "2020-12-27T00:00:00", "type": "hp", "title": "HPSBPI03709 rev. 1 - Certain HP and Samsung-branded Print Products - IPv6 Network Stack Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-27337", "CVE-2020-27338", "CVE-2020-27336"], "modified": "2020-12-27T00:00:00", "id": "HP:C06990695", "href": "https://support.hp.com/us-en/document/c06990695", "cvss": {"score": "5.3", "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/"}}], "thn": [{"lastseen": "2022-05-09T12:38:40", "description": "[](<https://thehackernews.com/images/-UD0rDsl5aC0/X-Lo00vPygI/AAAAAAAABUw/roisEcRSbQ4jssrvBxOQ_cD2MlnVzsZUwCLcBGAsYHQ/s0/iot-devices.jpg>)\n\nThe US Cybersecurity Infrastructure and Security Agency (CISA) has [warned](<https://us-cert.cisa.gov/ics/advisories/icsa-20-353-01>) of critical vulnerabilities in a low-level TCP/IP software library developed by Treck that, if weaponized, could allow remote attackers to run arbitrary commands and mount denial-of-service (DoS) attacks.\n\nThe four flaws affect Treck TCP/IP stack version 6.0.1.67 and earlier and were reported to the company by Intel. Two of these are rated critical in severity.\n\nTreck's embedded TCP/IP stack is deployed worldwide in manufacturing, information technology, healthcare, and transportation systems.\n\nThe most severe of them is a heap-based buffer overflow vulnerability (**CVE-2020-25066**) in the Treck HTTP Server component that could permit an adversary to crash or reset the target device and even execute remote code. It has a CVSS score of 9.8 out of a maximum of 10.\n\nThe second flaw is an out-of-bounds write in the IPv6 component (**CVE-2020-27337**, CVSS score 9.1) that could be exploited by an unauthenticated user to cause a DoS condition via network access.\n\nTwo other vulnerabilities concern an out-of-bounds read in the IPv6 component (**CVE-2020-27338**, CVSS score 5.9) that could be leveraged by an unauthenticated attacker to cause DoS and an improper input validation in the same module (**CVE-2020-27336**, CVSS score 3.7) that could result in an out-of-bounds read of up to three bytes via network access.\n\nTreck [recommends](<https://treck.com/vulnerability-response-information/>) users to update the stack to version 6.0.1.68 to address the flaws. In cases where the latest patches cannot be applied, it's advised that firewall rules are implemented to filter out packets that contain a negative content-length in the HTTP header.\n\nThe disclosure of new flaws in Treck TCP/IP stack comes six months after Israeli cybersecurity company JSOF uncovered 19 vulnerabilities in the software library \u2014 dubbed [Ripple20](<https://thehackernews.com/2020/06/new-critical-flaws-put-billions-of.html>) \u2014 that could make it possible for attackers to gain complete control over targeted IoT devices without requiring any user interaction.\n\nWhat's more, earlier this month, Forescout researchers revealed 33 vulnerabilities \u2014 collectively called [AMNESIA:33](<https://thehackernews.com/2020/12/amnesia33-critical-tcpip-flaws-affect.html>) \u2014 impacting open-source TCP/IP protocol stacks that could be abused by a bad actor to take over a vulnerable system.\n\nGiven the complex IoT supply chain involved, the company has released a new detection tool called \"project-memoria-detector\" to identify whether a target network device runs a vulnerable TCP/IP stack in a lab setting.\n\nYou can access the tool via GitHub [here](<https://github.com/Forescout/project-memoria-detector>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-23T06:51:00", "type": "thn", "title": "New Critical Flaws in Treck TCP/IP Stack Affect Millions of IoT Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25066", "CVE-2020-27336", "CVE-2020-27337", "CVE-2020-27338"], "modified": "2020-12-23T06:51:43", "id": "THN:16FE02C52CCB308E7739CDE97FA32A3C", "href": "https://thehackernews.com/2020/12/new-critical-flaws-in-treck-tcpip-stack.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2022-02-10T00:00:00", "description": " * [CVE-2020-25066](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25066>)\n\nA heap-based buffer overflow in the Treck HTTP Server component before 6.0.1.68 allows remote attackers to cause a denial of service (crash/reset) or to possibly execute arbitrary code.\n\n * [CVE-2020-27336](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27336>)\n\nAn issue was discovered in Treck IPv6 before 6.0.1.68. Improper input validation in the IPv6 component when handling a packet sent by an unauthenticated remote attacker could result in an out-of-bounds read of up to three bytes via network access.\n\n * [CVE-2020-27337](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27337>)\n\nAn issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the IPv6 component allows an unauthenticated remote attacker to cause an Out of Bounds Write, and possibly a Denial of Service via network access.\n\n * [CVE-2020-27338](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27338>)\n\nAn issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the DHCPv6 client component allows an unauthenticated remote attacker to cause an Out of Bounds Read, and possibly a Denial of Service via adjacent network access.\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-13T02:39:00", "type": "f5", "title": "Multiple Treck vulnerabilities CVE-2020-25066, CVE-2020-27336, CVE-2020-27337, and CVE-2020-27338", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25066", "CVE-2020-27336", "CVE-2020-27337", "CVE-2020-27338"], "modified": "2021-01-13T02:39:00", "id": "F5:K44834280", "href": "https://support.f5.com/csp/article/K44834280", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2022-10-26T00:15:37", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION: **Exploitable remotely\n * **Vendor:** Treck Inc.\n * **Equipment:** TCP/IP\n * **Vulnerability**: Heap-based Buffer Overflow, Out-of-bounds Read, Out-of-bounds Write\n\nThe Treck TCP/IP stack may be known by other names such as Kasago TCP/IP, ELMIC, Net+ OS, Quadnet, GHNET v2, Kwiknet, or AMX.\n\n## 2\\. UPDATE INFORMATION\n\nThis updated advisory is a follow-up to the original advisory titled ICSA-20-353-01 Treck TCP/IP Stack that was published December 18, 2020, to the ICS webpage on us-cert.cisa.gov.\n\n## 3\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability may allow remote code execution and a denial-of-service condition.\n\n## 4\\. TECHNICAL DETAILS\n\n### 4.1 AFFECTED PRODUCTS\n\nThe following components of Treck TCP/IP stack Version 6.0.1.67 and prior are affected:\n\n * HTTP Server \n * IPv6\n * DHCPv6\n\n### 4.2 VULNERABILITY OVERVIEW\n\n#### 4.2.1 [HEAP-BASED BUFFER OVERFLOW CWE-122](<https://cwe.mitre.org/data/definitions/122.html>)\n\nA vulnerability in Treck HTTP Server components allow an attacker to cause a denial-of-service condition. This vulnerability may also result in arbitrary code execution.\n\n[CVE-2020-25066](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25066>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 4.2.2 [OUT-OF-BOUNDS WRITE CWE-787](<https://cwe.mitre.org/data/definitions/787.html>)\n\nAn out-of-bounds write in the IPv6 component may allow an unauthenticated user to potentially cause a possible denial-of-service via network access.\n\n[CVE-2020-27337](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27337>) has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H>)).\n\n#### 4.2.3 [OUT-OF-BOUNDS READ CWE-125](<https://cwe.mitre.org/data/definitions/125.html>)\n\nAn issue was discovered in Treck IPv6. An out-of-bound read in the DHCPv6 client component may allow an unauthenticated user to cause a possible denial-of-service via adjacent network access.\n\n[CVE-2020-27338](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27338>) has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is ([AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H>)).\n\n#### 4.2.4 [OUT-OF-BOUNDS READ CWE-125](<https://cwe.mitre.org/data/definitions/125.html>)\n\nImproper input validation in the IPv6 component may allow an unauthenticated user to cause an out-of-bounds read of up to three bytes via network access.\n\n[CVE-2020-27336](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27336>) has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N>)).\n\n### 4.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Critical Manufacturing, Information Technology, Healthcare and Public Health, Transportation Systems\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **United States\n\n### 4.4 RESEARCHER\n\n**\\--------- Begin Update A Part 1 of 1 ---------**\n\nArie Haenel, Ofek Mostovoy, Yaakov Cohen, Yocheved Butterman, and Yossef Kuszer from Intel reported these vulnerabilities to Treck.\n\n**\\--------- End Update A Part 1 of 1 ---------**\n\n## 5\\. MITIGATIONS\n\nTreck recommends users apply the latest version of the affected products (Treck TCP/IP 6.0.1.68 or later versions). To obtain patches, email [security@treck.com](<mailto:security@treck.com>)\n\nTreck recommends users who cannot apply the latest patches to implement firewall rules to filter out packets that contain a negative content length in the HTTP header.\n\nFor more detailed information on the vulnerabilities and the mitigating controls, please see the [Treck advisory](<https://treck.com/vulnerability-response-information/>). \n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nHigh skill level is needed to exploit. No known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-20-353-01>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-26T00:00:00", "type": "ics", "title": "Treck TCP/IP Stack (Update A)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-25066", "CVE-2020-27336", "CVE-2020-27337", "CVE-2020-27338"], "modified": "2021-01-26T00:00:00", "id": "ICSA-20-353-01", "href": "https://www.us-cert.gov/ics/advisories/icsa-20-353-01", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "intel": [{"lastseen": "2022-12-10T02:29:59", "description": "### Summary: \n\nPotential security vulnerabilities in Intel\u00ae Converged Security and Manageability Engine (CSME), Server Platform Services (SPS), Intel\u00ae Trusted Execution Engine (TXE), Intel\u00ae Dynamic Application Loader (DAL), Intel\u00ae Active Management Technology (AMT), Intel\u00ae Standard Manageability (ISM) and Intel\u00ae Dynamic Application Loader (Intel\u00ae DAL) may allow escalation of privilege, denial of service or information disclosure.** **Intel is releasing firmware and software updates to mitigate these potential vulnerabilities.\n\nIntel is not releasing updates to mitigate a potential vulnerability and has issued a Product Discontinuation Notice for Intel\u00ae DAL SDK.\n\n### Vulnerability Details:\n\nCVEID: [CVE-2020-8752](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8752>)\n\nDescription: Out-of-bounds write in IPv6 subsystem for Intel(R) AMT, Intel(R) ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 14.0.45 may allow an unauthenticated user to potentially enable escalation of privileges via network access.\n\nCVSS Base Score: 9.4 Critical\n\nCVSS Vector: [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L>)\n\nCVEID: [CVE-2020-8753](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8753>)\n\nDescription: Out-of-bounds read in DHCP subsystem for Intel(R) AMT, Intel(R) ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure via network access.\n\nCVSS Base Score: 8.2 High\n\nCVSS Vector: [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L>)\n\nCVEID: [CVE-2020-12297](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12297>)\n\nDescription: Improper access control in Installer for Intel(R) CSME Driver for Windows versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel TXE 3.1.80, 4.0.30 may allow an authenticated user to potentially enable escalation of privileges via local access.\n\nCVSS Base Score: 8.2 High\n\nCVSS Vector: [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H>)\n\nCVEID: [CVE-2020-12304](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12304>)\n\nDescription: Improper access control in Installer for Intel(R) DAL SDK before version 2.1 for Windows may allow an authenticated user to potentially enable escalation of privileges via local access.\n\nCVSS Base Score: 8.2 High\n\nCVSS Vector: [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H>)\n\nCVEID: [CVE-2020-8745](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020->)\n\nDescription: Insufficient control flow management in subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25 , Intel(R) TXE versions before 3.1.80 and 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.\n\nCVSS Base Score: 7.3 High\n\nCVSS Vector: [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N>)\n\nCVEID: [CVE-2020-8744](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8744>)\n\nDescription: Improper initialization in subsystem for Intel(R) CSME versions before12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel\u00ae TXE versions before 4.0.30 Intel(R) SPS versions before E3_05.01.04.200 may allow a privileged user to potentially enable escalation of privilege via local access.\n\nCVSS Base Score: 7.2 High\n\nCVSS Vector: [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N>)\n\nCVEID: [CVE-2020-8705](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8705>)\n\nDescription: Insecure default initialization of resource in Intel(R) Boot Guard in Intel(R) CSME versions before 11.8.82, 11.12.82, 11.22.82, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel(R) TXE versions before 3.1.80 and 4.0.30, Intel(R) SPS versions before E5_04.01.04.400, E3_04.01.04.200, SoC-X_04.00.04.200 and SoC-A_04.00.04.300 may allow an unauthenticated user to potentially enable escalation of privileges via physical access.\n\nCVSS Base Score: 7.1 High\n\nCVSS Vector: [CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H>)\n\nCVEID: [CVE-2020-8750](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8750>)\n\nDescription: Use after free in Kernel Mode Driver for Intel(R) TXE versions before 3.1.80 and 4.0.30 may allow an authenticated user to potentially enable escalation of privilege via local access.\n\nCVSS Base Score: 7.0 High\n\nCVSS Vector: [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>)\n\nCVEID: [CVE-2020-12303](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12303>)\n\nDescription: Use after free in DAL subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel\u00ae TXE 3.1.80, 4.0.30 may allow an authenticated user to potentially enable escalation of privileges via local access.\n\nCVSS Base Score: 7.0 High\n\nCVSS Vector: [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H>)\n\nCVE ID: [CVE-2020-12354](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12354>)\n\nDescription: Incorrect default permissions in Windows(R) installer in Intel(R) AMT SDK versions before 14.0.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access.\n\nCVSS Base Score: 6.7 Medium\n\nCVSS Vector: [CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H>)\n\nCVEID: [CVE-2020-8757](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8757>)\n\nDescription: Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access.\n\nCVSS Base Score: 6.3 Medium\n\nCVSS Vector: [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L>)\n\nCVEID: [CVE-2020-8756](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8756>)\n\nDescription: Improper input validation in subsystem for Intel(R) CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access.\n\nCVSS Base Score: 6.3 Medium\n\nCVSS Vector: [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L>)\n\nCVEID: [CVE-2020-8760](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8760>)\n\nDescription: Integer overflow in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access.\n\nCVSS Base Score: 6.0 Medium\n\nCVSS Vector: [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L>)\n\nCVE ID: [CVE-2020-12355](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12355>)\n\nDescription: Authentication bypass by capture-replay in RPMB protocol message authentication subsystem in Intel(R) TXE versions before 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.\n\nCVSS Base Score: 5.3 Medium\n\nCVSS Vector: [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N>)\n\nCVEID: [CVE-2020-8751](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8751>)\n\nDescription: Insufficient control flow management in subsystem for Intel(R) CSME versions before 11.8.80, Intel(R) TXE versions before 3.1.80 may allow an unauthenticated user to potentially enable information disclosure via physical access.\n\nCVSS Base Score: 5.3 Medium\n\nCVSS Vector: [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N>)\n\nCVEID: [CVE-2020-8754](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8754>)\n\nDescription: Out-of-bounds read in subsystem for Intel(R) AMT, Intel(R) ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure via network access.\n\nCVSS Base Score: 5.3 Medium\n\nCVSS Vector: [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N>)\n\nCVEID: [CVE-2020-8761](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8761>)\n\nDescription: Inadequate encryption strength in subsystem for Intel(R) CSME versions before 13.0.40 and 13.30.10 may allow an unauthenticated user to potentially enable information disclosure via physical access.\n\nCVSS Base Score: 4.9 Medium\n\nCVSS Vector: [CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N>)\n\nCVEID: [CVE-2020-8747](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8747>)\n\nDescription: Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via network access.\n\nCVSS Base Score: 4.8 Medium\n\nCVSS Vector: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L>)\n\nCVEID: [CVE-2020-8755](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8755>)\n\nDescription: Race condition in subsystem for Intel(R) CSME versions before 12.0.70 and 14.0.45, Intel(R) SPS versions before E5_04.01.04.400 and E3_05.01.04.200 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.\n\nCVSS Base Score: 4.6 Medium\n\nCVSS Vector: [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)\n\nCVE ID: [CVE-2020-12356](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12356>)\n\nDescription: Out-of-bounds read in subsystem in Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable information disclosure via local access.\n\nCVSS Base Score: 4.4 Medium\n\nCVSS Vector: [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N>)\n\nCVEID: [CVE-2020-8746](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8746>)\n\nDescription: Integer overflow in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable denial of service via adjacent access.\n\nCVSS Base Score: 4.3 Medium\n\nCVSS Vector: [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L>)\n\nCVEID: [CVE-2020-8749](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8749>)\n\nDescription: Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.\n\nCVSS Base Score: 4.2 Medium\n\nCVSS Vector: [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N](<https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N>)\n\n### Affected Products:\n\n * Intel\u00ae CSME and Intel\u00ae AMT versions before 11.8.82, 11.12.82, 11.22.82, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25.\n * Intel\u00ae TXE versions before 3.1.80 and 4.0.30.\n * Intel\u00ae Server Platform Services firmware versions before SPS_E5_04.01.04.400, SPS_E3_05.01.04.200, SPS_E3_04.01.04.200, SPS_SoC-X_04.00.04.200 and SPS_SoC-A_04.00.04.300. \n\n\nThe following CVEs assigned by Intel, correspond to a subset of the CVEs disclosed on 12/18/2020 as part of [ICSA-20-353-01](<https://us-cert.cisa.gov/ics/advisories/icsa-20-353-01>):\n\nDisclosed in INTEL-SA-00391\n\n| \n\nDisclosed in [ICSA-20-353-01](<https://us-cert.cisa.gov/ics/advisories/icsa-20-353-01>) \n \n---|--- \n \nCVE-2020-8752\n\n| \n\nCVE-2020-27337 \n \nCVE-2020-8753\n\n| \n\nCVE-2020-27338 \n \nCVE-2020-8754\n\n| \n\nCVE-2020-27336 \n \nNote: Firmware versions of Intel\u00ae ME 3.x thru 10.x, Intel\u00ae TXE 1.x thru 2.x, and Intel\u00ae Server Platform Services 1.x thru 2.X are no longer supported versions. There is no new general release planned for these versions.\n\n### Recommendations:\n\nIntel recommends that users of Intel\u00ae CSME, Intel\u00ae TXE, Intel\u00ae AMT and Intel\u00ae SPS update to the latest version provided by the system manufacturer that addresses these issues.\n\nThe Intel\u00ae AMT SDK is available for download [here](<https://software.intel.com/content/www/us/en/develop/download/intel-active-management-technology-sdk.html>). \n\nIntel has issued a Product Discontinuation notice for the Intel\u00ae DAL SDK and recommends that users of the Intel\u00ae DAL SDK uninstall it or discontinue use at their earliest convenience.\n\n### Acknowledgements:\n\nIntel would like to thank Trammell Hudson (CVE-2020-8705), Marius Gabriel Mihai (CVE-2020-12354, CVE-2020-12304), Oussama Sahnoun (CVE-2020-12297), Rotem Sela and Brian Mastenbrook (CVE-2020-12355) for reporting these issues.\n\nThe additional issues were found internally by Intel employees. Intel would like to thank Arie Haenel, Aviya Erenfeld, Binyamin Belaciano, Dmitry Piotrovsky, Julien Lenoir, Niv Israely, Ofek Mostovoy, Yakov Cohen and Yossef Kuszer.\n\nIntel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.\n", "cvss3": {}, "published": "2022-05-12T00:00:00", "type": "intel", "title": "2020.2 IPU \u2013 Intel\u00ae CSME, SPS, TXE, and AMT\u00a0Advisory", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-12297", "CVE-2020-12303", "CVE-2020-12304", "CVE-2020-12354", "CVE-2020-12355", "CVE-2020-12356", "CVE-2020-27336", "CVE-2020-27337", "CVE-2020-27338", "CVE-2020-8705", "CVE-2020-8744", "CVE-2020-8745", "CVE-2020-8746", "CVE-2020-8747", "CVE-2020-8749", "CVE-2020-8750", "CVE-2020-8751", "CVE-2020-8752", "CVE-2020-8753", "CVE-2020-8754", "CVE-2020-8755", "CVE-2020-8756", "CVE-2020-8757", "CVE-2020-8760", "CVE-2020-8761"], "modified": "2020-11-10T00:00:00", "id": "INTEL:INTEL-SA-00391", "href": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391.html", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2020-27337
