Intel Security CenterINTEL:INTEL-SA-002552019.2 IPU – Intel® Ethernet 700 Series Controllers Advisory
Summary:
Potential security vulnerabilities in Intel® Ethernet 700 Series Controllers may allow an escalation of privilege, denial of service or information disclosure.** **Intel is releasing software and firmware updates to mitigate these potential vulnerabilities.
Vulnerability Details:
CVEID: CVE-2019-0140__
Description: Buffer overflow in firmware for Intel® Ethernet 700 Series Controllers before version 7.0 may allow an unauthenticated user to potentially enable an escalation of privilege via an adjacent access.
CVSS Base Score: 8.8 High
CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEID: CVE-2019-0145
Description: Buffer overflow in i40e driver for Intel® Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.8 High
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2019-0142
Description: Insufficient access control in ilp60x64.sys driver for Intel® Ethernet 700 Series Controllers before version 1.33.0.0 may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.7 High
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVEID: CVE-2019-0139__
Description: Insufficient access control in firmware for Intel® Ethernet 700 Series Controllers before version 7.0 may allow a privileged user to potentially enable an escalation of privilege, denial of service, or information disclosure via local access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVEID: CVE-2019-0143
Description: Unhandled exception in Kernel-mode drivers for Intel® Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.
CVSS Base Score: 4.4 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CVEID: CVE-2019-0144__
Description: Unhandled exception in firmware for Intel® Ethernet 700 Series Controllers before version 7.0 may allow an authenticated user to potentially enable a denial of service via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2019-0146
Description: Resource leak in i40e driver for Intel® Ethernet 700 Series Controllers versions before 2.8.43 may allow an authenticated user to potentially enable a denial of service via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2019-0147__
Description: Insufficient input validation in i40e driver for Intel® Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.
CVSS Base Score: 5.6 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2019-0148__
Description: Resource leak in i40e driver for Intel® Ethernet 700 Series Controllers versions before 7.0 may allow an authenticated user to potentially enable a denial of service via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2019-0149__
Description: Insufficient input validation in i40e driver for Intel® Ethernet 700 Series Controllers versions before 2.8.43 may allow an authenticated user to potentially enable a denial of service via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2019-0150__
Description: Insufficient access control in firmware Intel® Ethernet 700 Series
Controllers versions before 7.0 may allow a privileged user to potentially enable a denial of service via local access.
CVSS Base Score: 6.0 Medium
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Affected Products:
Intel® Ethernet 700 Series Controller firmware before 7.0.
Intel® Ethernet 700 Series Controller Software before release version 24.0.
Recommendations:
Intel recommends updating Intel® Ethernet 700 Series Controller firmware to 7.0 or later.
Intel recommends updating Intel® Ethernet 700 Series Software to 24.0 or later.
Updates are available for download at this location: <https://downloadcenter.intel.com/product/46828/700-Series-Network-Adapters-up-to-40GbE->
Acknowledgements:
Intel would like to thank Michael Bourque for reporting CVE-2019-0142
The following issues were found internally by Intel employees. Intel would like to thank Ryan Hall from the DCG Red Team for CVE-2019-0145, CVE-2019-0146, CVE-2019-0147, CVE-2019-0148, and CVE-2019-0149, Narasimha Kumar V Mangipudi and Nagaraju N Kodalapura (Security Researchers, IPAS) for CVE-2019-142; Nagaraju N Kodalapura and Nam N Nguyen (Security Researchers, IPAS) for CVE-2019-143 and CVE-2019-0144; Hareesh Khattri (Security Researcher, IPAS) for CVE-2019-0150; Ramya Jayaram Masti and Hareesh Khattri (Security Researchers, IPAS) for CVE-2019-0140.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.
Related
