{"id": "HP:C06330147", "bulletinFamily": "software", "title": "HPSBHF03617 rev. 4 - Intel UEFI System Firmware Security Updates", "description": "## Potential Security Impact\nEscalation of Privilege, Denial of Service\n\n**Source**: HP, HP Product Security Response Team (PSRT) \n\n**Reported By**: Intel \n\n## VULNERABILITY SUMMARY\nMultiple potential security vulnerabilities in Intel firmware that might allow for escalation of privilege or denial of service.\n\n## RESOLUTION\nHP has identified the affected platforms for Softpaqs. See the affected platforms listed below.\n", "published": "2019-05-14T00:00:00", "modified": "2019-10-28T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://support.hp.com/us-en/document/c06330147", "reporter": "HP, HP Product Security Response Team (PSRT)", "references": [], "cvelist": ["CVE-2019-0119", "CVE-2019-0120", "CVE-2019-0126"], "type": "hp", "lastseen": "2020-12-24T13:22:01", "edition": 3, "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-0120", "CVE-2019-0119", "CVE-2019-0126"]}, {"type": "lenovo", "idList": ["LENOVO:PS500244-INTEL-FIRMWARE-VULNERABILITIES-NOSID", "LENOVO:PS500244-NOSID"]}, {"type": "f5", "idList": ["F5:K85585101", "F5:K37428370", "F5:K29002929"]}, {"type": "threatpost", "idList": ["THREATPOST:0257327E5115B699AC58115D6D5416A1"]}], "modified": "2020-12-24T13:22:01", "rev": 2}, "score": {"value": 6.9, "vector": "NONE", "modified": "2020-12-24T13:22:01", "rev": 2}, "vulnersScore": 6.9}, "affectedSoftware": [{"name": "hp 240 g7 notebook pc", "operator": "lt", "version": "F.42"}, {"name": "hp 200 g3 (rom family ssid 8431)", "operator": "lt", "version": "F.27"}, {"name": "hp stream 11 pro g4 ee", "operator": "lt", "version": "F.21"}, {"name": "hp 258 g6 notebook pc", "operator": "lt", "version": "F.60"}, {"name": "hp 256 g6 notebook pc", "operator": "lt", "version": "F.60"}, {"name": "hp 250 g7", "operator": "lt", "version": "F21"}, {"name": "hp probook x360 11 g1 education edition", "operator": "lt", "version": "1.27"}, {"name": "hp 246 g7 notebook pc", "operator": "lt", "version": "F.42"}, {"name": "hp 240 g6 notebook pc", "operator": "lt", "version": "F.45"}, {"name": "hp 250 g5", "operator": "lt", "version": "F.47"}, {"name": "hp probook x360 11 g3 education edition", "operator": "lt", "version": "01.03.00"}, {"name": "hp 256 g5", "operator": "lt", "version": "F.47"}, {"name": "hp 250 g6 notebook pc", "operator": "lt", "version": "F.60"}, {"name": "hp 256 g7", "operator": "lt", "version": "F21"}, {"name": "hp 246 g6 notebook pc", "operator": "lt", "version": "F.45"}], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T13:38:35", "description": "Insufficient key protection vulnerability in silicon reference firmware for Intel(R) Pentium(R) Processor J Series, Intel(R) Pentium(R) Processor N Series, Intel(R) Celeron(R) J Series, Intel(R) Celeron(R) N Series, Intel(R) Atom(R) Processor A Series, Intel(R) Atom(R) Processor E3900 Series, Intel(R) Pentium(R) Processor Silver Series may allow a privileged user to potentially enable denial of service via local access.", "edition": 6, "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 4.4, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-05-17T16:29:00", "title": "CVE-2019-0120", "type": "cve", "cwe": ["CWE-522"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0120"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:intel:celeron_n2940_firmware:-", "cpe:/o:intel:n3530_firmware:-", "cpe:/o:intel:celeron_n3450_firmware:-", "cpe:/o:intel:celeron_j3355_firmware:-", "cpe:/o:intel:celeron_j3060_firmware:-", "cpe:/o:intel:celeron_n2840_firmware:-", "cpe:/o:intel:celeron_n4000_firmware:-", "cpe:/o:intel:celeron_n2830_firmware:-", "cpe:/o:intel:celeron_n4100_firmware:-", "cpe:/o:intel:pentium_silver_n5000_firmware:-", "cpe:/o:intel:atom_x5-e3940_firmware:-", "cpe:/o:intel:pentium_silver_j5005_firmware:-", "cpe:/o:intel:j5005_firmware:-", "cpe:/o:intel:celeron_j3455_firmware:-", "cpe:/o:intel:celeron_n3000_firmware:-", "cpe:/o:intel:n3540_firmware:-", "cpe:/o:intel:celeron_j4005_firmware:-", "cpe:/o:intel:j3710_firmware:-", "cpe:/o:intel:atom_230_firmware:-", "cpe:/o:intel:j4205_firmware:-", "cpe:/o:intel:atom_x7-e3950_firmware:-", "cpe:/o:intel:celeron_n3350_firmware:-", "cpe:/o:intel:celeron_j4105_firmware:-", "cpe:/o:intel:atom_330_firmware:-", "cpe:/o:intel:n5000_firmware:-", "cpe:/o:intel:celeron_n2930_firmware:-", "cpe:/o:intel:celeron_j3160_firmware:-", "cpe:/o:intel:atom_x5-e3930_firmware:-"], "id": "CVE-2019-0120", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0120", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:intel:n3530_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_n3350_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_j3455_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_j3060_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_j4105_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_n2840_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:j4205_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_j4005_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_n2940_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_n3000_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_n4000_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_n3450_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:atom_330_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:atom_x7-e3950_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_j3355_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:j3710_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_n2830_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_n2930_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:atom_230_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:pentium_silver_n5000_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:atom_x5-e3940_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:j5005_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:atom_x5-e3930_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:n5000_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:n3540_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_j3160_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:pentium_silver_j5005_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:celeron_n4100_firmware:-:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:38:35", "description": "Insufficient access control in silicon reference firmware for Intel(R) Xeon(R) Scalable Processor, Intel(R) Xeon(R) Processor D Family may allow a privileged user to potentially enable escalation of privilege and/or denial of service via local access.", "edition": 6, "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.7, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-17T16:29:00", "title": "CVE-2019-0126", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0126"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:intel:xeon_d-1633n_firmware:-", "cpe:/o:intel:xeon_d-1623n_firmware:-", "cpe:/o:intel:xeon_processor_d-1533n_firmware:-", "cpe:/o:intel:xeon_d-2163it_firmware:-", "cpe:/o:intel:xeon_processor_d-1529_firmware:-", "cpe:/o:intel:xeon_d-1602_firmware:-", "cpe:/o:intel:xeon_gold_processors_firmware:-", "cpe:/o:intel:xeon_processor_d-1521_firmware:-", "cpe:/o:intel:xeon_processor_d-1531_firmware:-", "cpe:/o:intel:xeon_silver_processors_firmware:-", "cpe:/o:intel:xeon_processor_d-1520_firmware:-", "cpe:/o:intel:xeon_d-1653n_firmware:-", "cpe:/o:intel:xeon_d-2161i_firmware:-", "cpe:/o:intel:xeon_processor_d-1527_firmware:-", "cpe:/o:intel:xeon_d-2146nt_firmware:-", "cpe:/o:intel:xeon_d-2143it_firmware:-", "cpe:/o:intel:xeon_processor_d-1543n_firmware:-", "cpe:/o:intel:xeon_d-1622_firmware:-", "cpe:/o:intel:xeon_d-2123it_firmware:-", "cpe:/o:intel:xeon_bronze_processors_firmware:-", "cpe:/o:intel:xeon_d-2191_firmware:-", "cpe:/o:intel:xeon_d-2187nt_firmware:-", "cpe:/o:intel:xeon_processor_d-1557_firmware:-", "cpe:/o:intel:xeon_processor_d-1567_firmware:-", "cpe:/o:intel:xeon_d-2145nt_firmware:-", "cpe:/o:intel:xeon_processor_d-1518_firmware:-", "cpe:/o:intel:xeon_processor_d-1548_firmware:-", "cpe:/o:intel:xeon_d-2177nt_firmware:-", "cpe:/o:intel:xeon_processor_d-1571_firmware:-", "cpe:/o:intel:xeon_d-2142it_firmware:-", "cpe:/o:intel:xeon_d-1627_firmware:-", "cpe:/o:intel:xeon_d-2183it_firmware:-", "cpe:/o:intel:xeon_processor_d-1540_firmware:-", "cpe:/o:intel:xeon_processor_d-1537_firmware:-", "cpe:/o:intel:xeon_processor_d-1523n_firmware:-", "cpe:/o:intel:xeon_processor_d-1577_firmware:-", "cpe:/o:intel:xeon_processor_d-1539_firmware:-", "cpe:/o:intel:xeon_d-2141i_firmware:-", "cpe:/o:intel:xeon_platinum_processors_firmware:-", "cpe:/o:intel:xeon_d-1637_firmware:-", "cpe:/o:intel:xeon_processor_d-1553n_firmware:-", "cpe:/o:intel:xeon_processor_d-1541_firmware:-", "cpe:/o:intel:xeon_processor_d-1559_firmware:-", "cpe:/o:intel:xeon_processor_d-1513n_firmware:-", "cpe:/o:intel:xeon_processor_d-1528_firmware:-", "cpe:/o:intel:xeon_d-2166nt_firmware:-", "cpe:/o:intel:xeon_d-2173it_firmware:-", "cpe:/o:intel:xeon_d-1649n_firmware:-"], "id": "CVE-2019-0126", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0126", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:intel:xeon_d-2146nt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2191_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1520_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1528_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1539_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_bronze_processors_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1541_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1533n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2142it_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1521_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2173it_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2123it_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1531_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1527_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1513n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2145nt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1653n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1540_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2177nt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1622_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1559_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1627_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2163it_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1543n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1577_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1623n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1518_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_gold_processors_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2166nt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1557_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1602_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_silver_processors_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1548_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_platinum_processors_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1571_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1537_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1649n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1553n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2161i_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2187nt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1523n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2143it_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1633n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2141i_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2183it_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1529_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1567_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1637_firmware:-:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:38:35", "description": "Buffer overflow vulnerability in system firmware for Intel(R) Xeon(R) Processor D Family, Intel(R) Xeon(R) Scalable Processor, Intel(R) Server Board, Intel(R) Server System and Intel(R) Compute Module may allow a privileged user to potentially enable escalation of privilege and/or denial of service via local access.", "edition": 5, "cvss3": {"exploitabilityScore": 0.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 6.7, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-17T16:29:00", "title": "CVE-2019-0119", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0119"], "modified": "2019-06-06T20:29:00", "cpe": ["cpe:/o:intel:server_board_s1200sp_firmware:-", "cpe:/o:intel:xeon_d-1633n_firmware:-", "cpe:/o:intel:xeon_d-1623n_firmware:-", "cpe:/o:intel:hns2600bpb24_firmware:-", "cpe:/o:intel:hns2600tp24str_firmware:-", "cpe:/o:intel:hns2600kpr_firmware:-", "cpe:/o:intel:xeon_processor_d-1533n_firmware:-", "cpe:/o:intel:xeon_d-2163it_firmware:-", "cpe:/o:intel:mfs2600ki_firmware:-", "cpe:/o:intel:xeon_processor_d-1529_firmware:-", "cpe:/o:intel:hns2600kpfr_firmware:-", "cpe:/o:intel:hns2600bpb_firmware:-", "cpe:/o:intel:xeon_d-1602_firmware:-", "cpe:/o:intel:hns2600jff_firmware:-", "cpe:/o:intel:hns2600bpblc_firmware:-", "cpe:/o:intel:xeon_gold_processors_firmware:-", "cpe:/o:intel:hns2600wp_firmware:-", "cpe:/o:intel:hns2600bpblc24_firmware:-", "cpe:/o:intel:xeon_processor_d-1521_firmware:-", "cpe:/o:intel:server_board_s7200ap_firmware:-", "cpe:/o:intel:hns2600kp_firmware:-", "cpe:/o:intel:server_system_s9200wk_firmware:-", "cpe:/o:intel:server_board_s2600wf_firmware:-", "cpe:/o:intel:hns2600tp24r_firmware:-", "cpe:/o:intel:xeon_processor_d-1531_firmware:-", "cpe:/o:intel:xeon_silver_processors_firmware:-", "cpe:/o:intel:xeon_processor_d-1520_firmware:-", "cpe:/o:intel:xeon_d-1653n_firmware:-", "cpe:/o:intel:xeon_d-2161i_firmware:-", "cpe:/o:intel:xeon_processor_d-1527_firmware:-", "cpe:/o:intel:xeon_d-2146nt_firmware:-", "cpe:/o:intel:xeon_d-2143it_firmware:-", "cpe:/o:intel:xeon_processor_d-1543n_firmware:-", "cpe:/o:intel:xeon_d-1622_firmware:-", "cpe:/o:intel:hns2600tp_firmware:-", "cpe:/o:intel:xeon_d-2123it_firmware:-", "cpe:/o:intel:xeon_bronze_processors_firmware:-", "cpe:/o:intel:hns2600bps_firmware:-", "cpe:/o:intel:hns2600tpf_firmware:-", "cpe:/o:intel:hns7200apl_firmware:-", "cpe:/o:intel:hns2600tpnr_firmware:-", "cpe:/o:intel:hns2600kpf_firmware:-", "cpe:/o:intel:mfs5520vir_firmware:-", "cpe:/o:intel:xeon_d-2191_firmware:-", "cpe:/o:intel:xeon_d-2187nt_firmware:-", "cpe:/o:intel:hns2600bps24_firmware:-", "cpe:/o:intel:hns7200apr_firmware:-", "cpe:/o:intel:server_board_s2600wt_firmware:-", "cpe:/o:intel:hns2600wpf_firmware:-", "cpe:/o:intel:server_board_s2600kp_firmware:-", "cpe:/o:intel:xeon_processor_d-1557_firmware:-", "cpe:/o:intel:hns7200aprl_firmware:-", "cpe:/o:intel:xeon_processor_d-1567_firmware:-", "cpe:/o:intel:xeon_d-2145nt_firmware:-", "cpe:/o:intel:xeon_processor_d-1518_firmware:-", "cpe:/o:intel:xeon_processor_d-1548_firmware:-", "cpe:/o:intel:hns2600tpfr_firmware:-", "cpe:/o:intel:xeon_d-2177nt_firmware:-", "cpe:/o:intel:xeon_processor_d-1571_firmware:-", "cpe:/o:intel:hns2600jfq_firmware:-", "cpe:/o:intel:xeon_d-2142it_firmware:-", "cpe:/o:intel:hns7200ap_firmware:-", "cpe:/o:intel:hns2400lp_firmware:-", "cpe:/o:intel:xeon_d-1627_firmware:-", "cpe:/o:intel:server_board_s2600cw_firmware:-", "cpe:/o:intel:xeon_d-2183it_firmware:-", "cpe:/o:intel:xeon_processor_d-1540_firmware:-", "cpe:/o:intel:xeon_processor_d-1537_firmware:-", "cpe:/o:intel:xeon_processor_d-1523n_firmware:-", "cpe:/o:intel:xeon_processor_d-1577_firmware:-", "cpe:/o:intel:server_board_s2600tp_firmware:-", "cpe:/o:intel:xeon_processor_d-1539_firmware:-", "cpe:/o:intel:hns2600bpq_firmware:-", "cpe:/o:intel:xeon_d-2141i_firmware:-", "cpe:/o:intel:xeon_platinum_processors_firmware:-", "cpe:/o:intel:xeon_d-1637_firmware:-", "cpe:/o:intel:mfs5000si_firmware:-", "cpe:/o:intel:hns2600wpq_firmware:-", "cpe:/o:intel:xeon_processor_d-1553n_firmware:-", "cpe:/o:intel:hns2600bpq24_firmware:-", "cpe:/o:intel:xeon_processor_d-1541_firmware:-", "cpe:/o:intel:hns2600jf_firmware:-", "cpe:/o:intel:xeon_processor_d-1559_firmware:-", "cpe:/o:intel:xeon_processor_d-1513n_firmware:-", "cpe:/o:intel:server_board_s2600bp_firmware:-", "cpe:/o:intel:hns2600tp24sr_firmware:-", "cpe:/o:intel:xeon_processor_d-1528_firmware:-", "cpe:/o:intel:hns2600tpr_firmware:-", "cpe:/o:intel:xeon_d-2166nt_firmware:-", "cpe:/o:intel:server_board_s2600st_firmware:-", "cpe:/o:intel:xeon_d-2173it_firmware:-", "cpe:/o:intel:xeon_d-1649n_firmware:-"], "id": "CVE-2019-0119", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0119", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:intel:xeon_d-2146nt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600kpf_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:mfs2600ki_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2191_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600wpq_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:server_board_s7200ap_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600jf_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600jff_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600bpblc_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1520_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1528_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1539_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_bronze_processors_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1541_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:server_board_s2600wt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600tp24r_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1533n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2142it_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1521_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns7200apr_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2173it_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600jfq_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2123it_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600bpq24_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:mfs5000si_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1531_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600tpr_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600tpfr_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1527_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1513n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2145nt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1653n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600bpb24_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600bps24_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2400lp_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1540_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2177nt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1622_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1559_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1627_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2163it_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600bpb_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns7200apl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600wpf_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:server_system_s9200wk_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1543n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns7200aprl_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1577_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600wp_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1623n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns7200ap_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600kpfr_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1518_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_gold_processors_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2166nt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600tpf_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600kpr_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1557_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:server_board_s2600kp_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1602_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_silver_processors_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1548_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:server_board_s2600st_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_platinum_processors_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1571_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1537_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:server_board_s2600bp_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:server_board_s1200sp_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1649n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:server_board_s2600wf_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600bpq_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1553n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:server_board_s2600cw_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2161i_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600kp_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2187nt_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600tp_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1523n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:mfs5520vir_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600bps_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2143it_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1633n_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2141i_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-2183it_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600tp24sr_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1529_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600bpblc24_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600tpnr_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_processor_d-1567_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:server_board_s2600tp_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:hns2600tp24str_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:intel:xeon_d-1637_firmware:-:*:*:*:*:*:*:*"]}], "lenovo": [{"lastseen": "2020-10-14T09:02:26", "bulletinFamily": "info", "cvelist": ["CVE-2019-0119", "CVE-2019-0120", "CVE-2019-0126"], "description": "**Lenovo Security Advisory:** LEN-26294\n\n**Potential Impact**: Privilege escalation, denial of service\n\n**Severity:** High\n\n**Scope of Impact:** Industry-wide\n\n**CVE Identifier:** CVE-2019-0119 , CVE-2019-0120 , CVE-2019-0126\n\n**Summary Description: **\n\nPotential security vulnerabilities in Intel firmware may allow for escalation of privilege or denial of service.\n\n**Mitigation Strategy for Customers (what you should do to protect yourself): **\n\nIntel recommends upgrading to the firmware version (or newer) indicated for your model in the Product Impact section below.\n\n**Product Impact:**\n", "edition": 174, "modified": "2020-03-23T18:41:45", "published": "2019-05-14T11:57:39", "id": "LENOVO:PS500244-NOSID", "href": "https://support.lenovo.com/us/en/product_security/ps500244", "title": "Intel Firmware Vulnerabilities - Lenovo Support US", "type": "lenovo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T23:27:33", "bulletinFamily": "info", "cvelist": ["CVE-2019-0119", "CVE-2019-0120", "CVE-2019-0126"], "description": "**Lenovo Security Advisory:** LEN-26294\n\n**Potential Impact**: Privilege escalation, denial of service\n\n**Severity:** High\n\n**Scope of Impact:** Industry-wide\n\n**CVE Identifier:** CVE-2019-0119 , CVE-2019-0120 , CVE-2019-0126\n\n**Summary Description: **\n\nPotential security vulnerabilities in Intel firmware may allow for escalation of privilege or denial of service.\n\n**Mitigation Strategy for Customers (what you should do to protect yourself): **\n\nIntel recommends upgrading to the firmware version (or newer) indicated for your model in the Product Impact section below.\n\n**Product Impact:**\n", "edition": 17, "modified": "2020-03-23T18:41:45", "published": "2019-05-14T11:57:39", "id": "LENOVO:PS500244-INTEL-FIRMWARE-VULNERABILITIES-NOSID", "href": "https://support.lenovo.com/us/en/product_security/ps500244-intel-firmware-vulnerabilities", "title": "Intel Firmware Vulnerabilities - Lenovo Support US", "type": "lenovo", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2020-04-06T22:40:41", "bulletinFamily": "software", "cvelist": ["CVE-2019-0119"], "description": "\nF5 Product Development has assigned JIRA IDs CPF-25096 and CPF-25097 (Traffix SDC) to this vulnerability.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) | 15.x | None | Not applicable | Not vulnerable | None | None \n14.x | None | Not applicable \n13.x | None | Not applicable \n12.x | None | Not applicable \n11.x | None | Not applicable \nEnterprise Manager | 3.x | None | Not applicable | Not vulnerable | None | None \nBIG-IQ Centralized Management | 6.x | None | Not applicable | Not vulnerable | None | None \n5.x | None | Not applicable \nF5 iWorkflow | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Medium | [6.7](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>) | Intel Unified Extensible Firmware Interface (UEFI) \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-06-06T21:00:00", "published": "2019-06-06T21:00:00", "id": "F5:K85585101", "href": "https://support.f5.com/csp/article/K85585101", "title": "Intel UEFI vulnerability CVE-2019-0119", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-06T22:40:50", "bulletinFamily": "software", "cvelist": ["CVE-2019-0126"], "description": "\nF5 Product Development has assigned CPF-25094 and CPF-25095 (Traffix SDC) to this vulnerability.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, FPS, GTM, Link Controller, PEM, WebAccelerator) | 15.x | None | Not applicable | Not vulnerable | None | None \n14.x | None | Not applicable \n13.x | None | Not applicable \n12.x | None | Not applicable \n11.x | None | Not applicable \nEnterprise Manager | 3.x | None | Not applicable | Not vulnerable | None | None \nBIG-IQ Centralized Management | 6.x | None | Not applicable | Not vulnerable | None | None \n5.x | None | Not applicable \nF5 iWorkflow | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Medium | [6.7](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>) | None \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix and point release matrix](<https://support.f5.com/csp/article/K15113>)\n * [K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later)](<https://support.f5.com/csp/article/K48955220>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>)\n", "edition": 1, "modified": "2019-06-07T01:45:00", "published": "2019-06-07T01:45:00", "id": "F5:K37428370", "href": "https://support.f5.com/csp/article/K37428370", "title": "Intel Xeon access control vulnerability CVE-2019-0126", "type": "f5", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-06T22:39:20", "bulletinFamily": "software", "cvelist": ["CVE-2019-0120"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-06-06T07:49:00", "published": "2019-06-06T07:49:00", "id": "F5:K29002929", "href": "https://support.f5.com/csp/article/K29002929", "title": "INTEL-SA-00223 - Intel Unified Extensible Firmware Interface CVE-2019-0120", "type": "f5", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}}], "threatpost": [{"lastseen": "2020-04-30T12:09:17", "bulletinFamily": "info", "cvelist": ["CVE-2019-0086", "CVE-2019-0089", "CVE-2019-0090", "CVE-2019-0126", "CVE-2019-0153", "CVE-2019-0170", "CVE-2019-11085", "CVE-2019-11094", "CVE-2019-16011"], "description": "Intel has issued an updated advisory for more than 30 fixes addressing vulnerabilities across various products \u2013 including a critical flaw in Intel\u2019s converged security and management engine (CSME) that could enable privilege-escalation.\n\nThe bug ([CVE-2019-0153) ](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0153>)exists in a subsystem of Intel CSME, which powers Intel\u2019s Active Management System hardware and firmware technology, used for remote out-of-band management of personal computers. An unauthenticated user could potentially abuse this flaw to enable escalation of privilege over network access, according to the Intel [advisory](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00213.html>), updated this week.\n\nThe flaw is a buffer overflow vulnerability with a CVSS score of 9 out of 10, making it critical. CSME versions 12 through 12.0.34 are impacted: \u201cIntel recommends that users of Intel CSME\u2026** **update to the latest version provided by the system manufacturer that addresses these issues,\u201d according to Intel\u2019s advisory.****\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOverall, the chip giant issued 34 fixes for various vulnerabilities \u2013 with seven of those ranking high-severity, 21 ranking medium-severity and five ranking low-severity, in addition to the critical flaw.\n\nThese latest flaws are separate from Intel\u2019s other advisory last week revealing a new class of [speculative execution vulnerabilities](<https://threatpost.com/intel-cpus-impacted-by-new-class-of-spectre-like-attacks/144728/>), dubbed Microarchitectural Data Sampling (MDS), which impact all modern Intel CPUs. Those four side-channel attacks \u2013 [ZombieLoad, Fallout, RIDL (Rogue In-Flight Data Load) and Store-to-Leak Forwarding](<https://threatpost.com/intel-zombieload-side-channel-attack-10-takeaways/144771/>) \u2013 allow for siphoning data from impacted systems.\n\n## High-Severity Flaws\n\nIn addition to the critical vulnerability, Intel released advisories for several high-severity flaws across different products.\n\n[One such glitch](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00249.html>) is an insufficient input validation that exists in the Kernel Mode Driver of Intel i915 Graphics chips for Linux. This flaw could enable an authenticated user to gain escalated privileges via local access. The vulnerability, [CVE-2019-11085](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11085>), scores 8.8 out of 10 on the CVSS scale. Intel i915 Graphics for Linux before version 5 are impacted; Intel recommends users update to version 5 or later.\n\nAnother high-severity flaw exists in the system firmware of Intel NUC kit (short for Next Unit of Computing); a mini PC kit that offers processing, memory and storage capabilities for applications like digital signage, media centers and kiosks.\n\nThis flaw, CVE-2019-11094, ranking a 7.5 out of 10 on the CVSS scale, \u201cmay allow an authenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via local access,\u201d[according to Intel](<https://www.tenforums.com/windows-10-news/132589-intel-nuc-advisory-may-14-a.html>). Intel recommends that the impacted products (below) update to the latest firmware version.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/05/21161645/intel-NUC-.png>)\n\nAnother high-severity flaw, discovered internally by Intel and disclosed last week, exists in in Unified Extensible Firmware Interface (UEFI), a specification defining a software interface between an operating system and platform firmware (while UEFI is an industry-wide specification, specifically impacted is UEFI firmware using the Intel reference code)\n\n\u201cMultiple potential security vulnerabilities in Intel Unified Extensible Firmware Interface (UEFI) may allow escalation of privilege and/or denial of service,\u201d according to [last week\u2019s advisory](<https://www.intel.com/content/www/us/en/security-center/advisory/INTEL-SA-00223.html>). \u201cIntel is releasing firmware updates to mitigate these potential vulnerabilities.\u201d\n\nThe flaw, [CVE-2019-0126](<https://nvd.nist.gov/vuln/detail/CVE-2019-0126>), has a CVSS score of 7.2 out of 10, and may allow a privileged user to potentially enable escalation of privilege or denial of service on impacted systems.\n\nThis vulnerability stems from \u201cinsufficient access control in silicon reference firmware for Intel Xeon Scalable Processor, Intel Xeon Processor D Family, according to Intel. In order to exploit the flaw, an attacker would need local access.\n\nOther high severity flaws include: an improper data-sanitization vulnerability in the subsystem in Intel Server Platform Services ([CVE-2019-0089](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0089>)), an insufficient access control vulnerability in subsystem for Intel CSME ([CVE-2019-0090](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0090>)), an insufficient access control vulnerability ([CVE-2019-0086](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0086>)) in Dynamic Application Loader software (an Intel tool allowing users to run small portions of Java code on Intel CSME) and a buffer overflow flaw in subsystem in Intel\u2019s Dynamic Application Loader ([CVE-2019-0170](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0170>)).\n\nLenovo for its part released an advisory with several target dates where it aims to apply patches for its Intel-impacted products, including various versions of the IdeaPad and ThinkPad ([see a full list here](<https://support.lenovo.com/us/en/product_security/LEN-26294>)).\n\n**_Want to know more about Identity Management and navigating the shift beyond passwords? Don\u2019t miss _**[**_our Threatpost webinar on May 29 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/8039101655437489665?source=ART>)**_. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow._**\n", "modified": "2019-05-21T21:02:56", "published": "2019-05-21T21:02:56", "id": "THREATPOST:0257327E5115B699AC58115D6D5416A1", "href": "https://threatpost.com/intel-fixes-critical-high-severity-flaws-across-several-products/144940/", "type": "threatpost", "title": "Intel Fixes Critical, High-Severity Flaws Across Several Products", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}