Intel® Thunderbolt™ Controller Advisory

Summary:

Potential security vulnerabilities in some Intel® Thunderbolt™ controllers may allow denial of service.** **Intel is releasing firmware updates to mitigate these potential vulnerabilities.

Vulnerability Details:

CVEID: CVE-2020-12293

Description: Improper control of a resource through its lifetime in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 7.3 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

CVEID: CVE-2020-12294

Description: Insufficient control flow management in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 7.3 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

CVEID: CVE-2020-12295

Description: Improper input validation in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 7.3 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

CVEID: CVE-2020-12296

Description: Uncontrolled resource consumption in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 7.3 High

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

CVEID: CVE-2020-12291

Description: Uncontrolled resource consumption in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CVEID: CVE-2020-12292

Description: Improper conditions check in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CVEID: CVE-2020-12290

Description: Improper access control in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 6.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CVEID: CVE-2020-12288

Description: Protection mechanism failure in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 3.8 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

CVEID: CVE-2020-12289

Description: Out-of-bounds write in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.

CVSS Base Score: 3.8 Low

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

Affected Products:

Thunderbolt™ 3, 4 Retimer and USB Retimer

|

Before Version

—|—

Intel® DSL5520

|

All

Intel® DSL5320

|

All

Intel® DSL6340

|

All

Intel® DSL6540

|

All

Intel® JHL6540

|

46

Intel® JHL6340

|

46

Intel® JHL6240

|

21

Intel® JHL7540

|

60

Intel® JHL7340

|

60

Intel® JHL7440

|

60

Intel® JHL8040R

|

41

Intel® JHL8010R

|

41

Intel® JHL7040

|

22

Recommendations:

Intel recommends that users of Intel® Thunderbolt™ controllers update to the latest version provided by the system manufacturer that addresses these issues.

Intel recommends that users of Intel® Thunderbolt™ 3 Controller for the Intel® NUC8ixBE and NUC7ixBN update to 46 or later. Updates are available for download at this location: Intel-NUC8ixBE-and-NUC7ixBN

Intel recommends that users of Intel® Thunderbolt™ 3 Controller for the Intel® NUC10ixFN update to 60 or later. Updates are available for download at this location: Intel-NUC10ixFN

Intel recommends that users of Intel® Thunderbolt™ 3 Controller for the Intel® NUC8vPN update to 60 or later. Updates are available for download at this location: NUC8vPN

Intel recommends that users of Intel® Thunderbolt™ 3 Controller for the Intel® NUC9QN update to 60 or later. Updates are available for download at this location: NUC9QN

Intel recommends that users of Intel® Thunderbolt™ 3 for the Intel® NUC 9 Extreme Laptop Kits update to 60 or later. Updates are available for download at this location: Intel® NUC 9 Extreme Laptop Kits

Intel will not be releasing mitigation for CVEID: CVE-2020-12289 and CVE-2020-12288 for Intel® Thunderbolt™ 3 controllers JHL7540, JHL7340, JHL7440, DSL6340, DSL6540, JHL6240, JHL6540 and JHL6340. To recover from these issues a device power cycle is needed.

Intel has issued Product Discontinuation notices for the Intel® DSL5520 & DSL5320 Thunderbolt™ 2 Controllers and Intel® DSL6340 & DSL6540 Thunderbolt™ 3 Controllers and Intel recommends that users discontinue use at their earliest convenience.

Acknowledgements:

These issues were found internally by Intel.****

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.