Potential security vulnerabilities in some Intel® Thunderbolt™ controllers may allow denial of service.** **Intel is releasing firmware updates to mitigate these potential vulnerabilities.
CVEID: CVE-2020-12293
Description: Improper control of a resource through its lifetime in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 7.3 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
CVEID: CVE-2020-12294
Description: Insufficient control flow management in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 7.3 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
CVEID: CVE-2020-12295
Description: Improper input validation in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 7.3 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
CVEID: CVE-2020-12296
Description: Uncontrolled resource consumption in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 7.3 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
CVEID: CVE-2020-12291
Description: Uncontrolled resource consumption in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2020-12292
Description: Improper conditions check in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2020-12290
Description: Improper access control in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 6.5 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVEID: CVE-2020-12288
Description: Protection mechanism failure in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 3.8 Low
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
CVEID: CVE-2020-12289
Description: Out-of-bounds write in some Intel® Thunderbolt™ controllers may allow an authenticated user to potentially enable denial of service via local access.
CVSS Base Score: 3.8 Low
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Thunderbolt™ 3, 4 Retimer and USB Retimer
|
Before Version
—|—
Intel® DSL5520
|
All
Intel® DSL5320
|
All
Intel® DSL6340
|
All
Intel® DSL6540
|
All
Intel® JHL6540
|
46
Intel® JHL6340
|
46
Intel® JHL6240
|
21
Intel® JHL7540
|
60
Intel® JHL7340
|
60
Intel® JHL7440
|
60
Intel® JHL8040R
|
41
Intel® JHL8010R
|
41
Intel® JHL7040
|
22
Intel recommends that users of Intel® Thunderbolt™ controllers update to the latest version provided by the system manufacturer that addresses these issues.
Intel recommends that users of Intel® Thunderbolt™ 3 Controller for the Intel® NUC8ixBE and NUC7ixBN update to 46 or later. Updates are available for download at this location: Intel-NUC8ixBE-and-NUC7ixBN
Intel recommends that users of Intel® Thunderbolt™ 3 Controller for the Intel® NUC10ixFN update to 60 or later. Updates are available for download at this location: Intel-NUC10ixFN
Intel recommends that users of Intel® Thunderbolt™ 3 Controller for the Intel® NUC8vPN update to 60 or later. Updates are available for download at this location: NUC8vPN
Intel recommends that users of Intel® Thunderbolt™ 3 Controller for the Intel® NUC9QN update to 60 or later. Updates are available for download at this location: NUC9QN
Intel recommends that users of Intel® Thunderbolt™ 3 for the Intel® NUC 9 Extreme Laptop Kits update to 60 or later. Updates are available for download at this location: Intel® NUC 9 Extreme Laptop Kits
Intel will not be releasing mitigation for CVEID: CVE-2020-12289 and CVE-2020-12288 for Intel® Thunderbolt™ 3 controllers JHL7540, JHL7340, JHL7440, DSL6340, DSL6540, JHL6240, JHL6540 and JHL6340. To recover from these issues a device power cycle is needed.
Intel has issued Product Discontinuation notices for the Intel® DSL5520 & DSL5320 Thunderbolt™ 2 Controllers and Intel® DSL6340 & DSL6540 Thunderbolt™ 3 Controllers and Intel recommends that users discontinue use at their earliest convenience.
These issues were found internally by Intel.****
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.