A potential security vulnerability in Intel® PROSet/Wireless WiFi Software may allow escalation of privilege.** **Intel is releasing software updates to mitigate this potential vulnerability.
CVEID: CVE-2018-12177
Description: Improper directory permissions in the ZeroConfig service in Intel® PROSet/Wireless WiFi Software before version 20.90.0.7 may allow an authorized user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.8 High
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Intel wireless products and technologies before 20.90.0.7.
· Intel® Dual Band Wireless-AC 3160
· Intel® Dual Band Wireless-AC 7260
· Intel® Dual Band Wireless-N 7260
· Intel® Wireless-N 7260
· Intel® Dual Band Wireless-AC 7260 for Desktop
· Intel® Dual Band Wireless-AC 7265 (Rev. C)
· Intel® Dual Band Wireless-N 7265 (Rev. C)
· Intel® Wireless-N 7265 (Rev. C)
· Intel® Dual Band Wireless-AC 3165
· Intel® Dual Band Wireless-AC 7265 (Rev. D)
· Intel® Dual Band Wireless-N 7265 (Rev. D)
· Intel® Wireless-N 7265 (Rev. D)
· Intel® Dual Band Wireless-AC 3168
· Intel® Tri-Band Wireless-AC 17265
· Intel® Dual Band Wireless-AC 8260
· Intel® Tri-Band Wireless-AC 18260
· Intel® Dual Band Wireless-AC 8265
· Intel® Dual Band Wireless-AC 8265 Desktop Kit
· Intel® Tri-Band Wireless-AC 18265
· Intel® Wireless-AC 9560
· Intel® Wireless-AC 9461
· Intel® Wireless-AC 9462
· Intel® Wireless-AC 9260
Intel recommends updating the Intel® PROSet/Wireless WiFi Software to 20.90.0.7 or later.
Updates are available for download at these locations:
· Check with your system manufacturer support site for the latest available verion, 20.90.0.7 or later.
Or
· <https://downloadcenter.intel.com/product/72252/Intel-PROSet-Wireless-Software>
Intel would like to thank Thomas Hibbert of Insomnia Security for reporting this issue and working with us on coordinated disclosure.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are deployed.