Lucene search

[email protected]CVE-2020-7207

HistoryNov 05, 2020 - 9:15 p.m.

CVE-2020-7207

2020-11-0521:15:13

[email protected]

web.nvd.nist.gov

cve-2020-7207

local elevation of privilege

hpe proliant gen10 servers

intel innovation engine

physical access security vulnerability

nvd

server security

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

6.8 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.8%

JSON

A local elevation of privilege using physical access security vulnerability was found in HPE Proliant Gen10 Servers using Intel Innovation Engine (IE). This attack requires a physical attack to the server motherboard. To mitigate this issue, ensure your server is always physically secured. HPE will not address this issue in the impacted Gen 10 servers listed. HPE recommends using appropriate physical security methods as a compensating control to disallow an attacker from having physical access to the server main circuit board.

Affected configurations

NVD

Node

hpapollo_2000Match-

AND

hpapollo_2000_firmwareMatch-

Node

hpapollo_4200_gen10Match-

AND

hpapollo_4200_gen10_firmwareMatch-

Node

hpapollo_4500Match-

AND

hpapollo_4500_firmwareMatch-

Node

hpproliant_xl230k_gen10Match-

AND

hpproliant_xl230k_gen10_firmwareMatch-

Node

hpproliant_xl270d_gen10Match-

AND

hpproliant_xl270d_gen10_firmwareMatch-

Node

hpproliant_bl460c_gen10Match-

AND

hpproliant_bl460c_gen10_firmwareMatch-

Node

hpproliant_dl120_gen10Match-

AND

hpproliant_dl120_gen10_firmwareMatch-

Node

hpproliant_dl160_gen10Match-

AND

hpproliant_dl160_gen10_firmwareMatch-

Node

hpproliant_dl180_gen10_firmwareMatch-

AND

hpproliant_dl180_gen10Match-

Node

hpproliant_dl360_gen10_firmwareMatch-

AND

hpproliant_dl360_gen10Match-

Node

hpproliant_dl380_gen10_firmwareMatch-

AND

hpproliant_dl380_gen10Match-

Node

hpproliant_dl560_gen10_firmwareMatch-

AND

hpproliant_dl560_gen10Match-

Node

hpproliant_dl580_gen10_firmwareMatch-

AND

hpproliant_dl580_gen10Match-

Node

hpproliant_ml110_gen10_firmwareMatch-

AND

hpproliant_ml110_gen10Match-

Node

hpproliant_ml350_gen10_firmwareMatch-

AND

hpproliant_ml350_gen10Match-

Node

hpsynergy_480_gen10_firmwareMatch-

AND

hpsynergy_480_gen10Match-

Node

hpsynergy_660_gen10_firmwareMatch-

AND

hpsynergy_660_gen10Match-

Node

hpproliant_e910_firmwareMatch-

AND

hpproliant_e910Match-

Node

hpproliant_xl170r_gen10_firmwareMatch-

AND

hpproliant_xl170r_gen10Match-

Node

hpproliant_xl190r_gen10_firmwareMatch-

AND

hpproliant_xl190r_gen10Match-

Node

hpproliant_xl230k_gen10_firmwareMatch-

AND

hpproliant_xl230k_gen10Match-

Node

hpproliant_xl450_gen10_firmwareMatch-

AND

hpproliant_xl450_gen10Match-

CPENameOperatorVersion
hp:apollo_2000_firmwarehp apollo 2000 firmwareeq-

CPE	Name	Operator	Version
hp:apollo_2000_firmware	hp apollo 2000 firmware	eq	-

CNA Affected

[
  {
    "product": "HPE ProLiant BL460c Gen10 Server Blade; HPE ProLiant DL360 Gen10 Server; HPE ProLiant DL380 Gen10 Server; HPE ProLiant DL560 Gen10 Server; HPE ProLiant DL580 Gen10 Server; HPE ProLiant ML110 Gen10 Server; HPE ProLiant XL230k Gen10 Server; HPE Synergy 480 Gen10 Compute Module; HPE Synergy 660 Gen10 Compute Module; HPE ProLiant DL180 Gen10 Server; HPE ProLiant DL160 Gen10 Server; HPE ProLiant DL120 Gen10 Server; HPE ProLiant XL190r Gen10 Server; HPE ProLiant ML350 Gen10 Server; HPE ProLiant XL170r Gen10 Server; HPE Apollo 2000 System; HPE Apollo 4500 System; HPE ProLiant XL270d Gen10 Server; HPE Apollo 4200 Gen10 Server; HPE ProLiant e910 Server Blade; HPE ProLiant XL450 Gen10 Server; HPE ProLiant XL230k Gen10 Server - bad oid",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "all current IE firmware"
      }
    ]
  }
]

References

support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04002en_us

7.2 High

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

6.8 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.8%

JSON

Related for CVE-2020-7207

prion1 cvelist1 nvd1