Intel Firmware 2018.4 QSR Advisory

Summary:

Multiple potential security vulnerabilities in Intel firmware may allow for escalation of privilege, information disclosure or denial of service.** **Intel is releasing firmware updates to mitigate these potential vulnerabilities.

Vulnerability Details:

CVEID: CVE-2018-12201

Description: Buffer overflow vulnerability in Platform Sample / Silicon Reference firmware for 8th Generation Intel®**** Core™ Processor, 7th Generation Intel®**** Core™ Processor, Intel®**** Pentium®**** Silver J5005 Processor, Intel®**** Pentium®**** Silver N5000 Processor, Intel®**** Celeron®**** J4105 Processor, Intel®**** Celeron®**** J4005 Processor, Intel® Celeron®**** N4100 Processor and Intel®**** Celeron® N4000 Processor may allow privileged user to potentially execute arbitrary code via local access.

CVSS Base Score: 5.7 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

CVEID: CVE-2018-12202

Description: Privilege escalation vulnerability in Platform Sample/ Silicon Reference firmware for 8th Generation Intel®****Core™ Processor, 7th Generation Intel®****Core™ Processor may allow privileged user to potentially leverage existing features via local access.

CVSS Base Score: 5.7 Medium

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H

CVEID: CVE-2018-12203

Description: Denial of service vulnerability in Platform Sample/ Silicon Reference firmware for 8th Generation Intel® Core™ Processor, 7th Generation Intel® Core™ Processor may allow privileged user to potentially execute arbitrary code via local access.

CVSS Base Score: 2.3 Low

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

CVEID: CVE-2018-12204

Description: Improper memory initialization in Platform Sample/Silicon Reference firmware for Intel® Server Board, Intel® Server System and Intel® Compute Module may allow a privileged user to potentially enable an escalation of privilege via local access.

CVSS Base Score: 7.5 High

CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVEID: CVE-2018-12205

Description: Improper certificate validation in Platform Sample/ Silicon Reference firmware for 8th Generation Intel® Core™ Processor, 7th Generation Intel® Core™ Processor may allow an unauthenticated user to potentially enable an escalation of privilege via physical access.

CVSS Base Score: 7.6 High

CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Products:

Firmware included with the following platform generations:

· 8th Generation Intel® Core™ Processor

· 7th Generation Intel® Core™ Processor

· Intel®**** Pentium®**** Silver J5005 Processor

· Intel®**** Pentium®**** Silver N5000 Processor

· Intel®**** Celeron®**** J4105 Processor

· Intel®**** Celeron®**** J4005 Processor

· Intel® Celeron®** ** N4100 Processor

· Intel®** ** Celeron® N4000 Processor

· Intel®** **Server Board

· Intel® Server System

· Intel® Compute Module

Recommendations:

Intel recommends that users of the affected Intel® products** **update to the latest version provided by the system manufacturer.__

Acknowledgements:

Intel would like to thank Alexander Ermolov (CVE-2018-12204) for reporting these issues and working with us on coordinated disclosure.

The remaining issues were found internally by Intel employees.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are deployed.