Intel Security CenterINTEL:INTEL-SA-005272021.2 IPU – BIOS Advisory
Summary:
Potential security vulnerabilities in the BIOS firmware for some Intel® Processors may allow escalation of privilege, denial of service or information disclosure. Intel is releasing firmware updates to mitigate these potential vulnerabilities.****
Vulnerability Details:
CVEID: CVE-2021-0103
Description: Insufficient control flow management in the firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 8.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H****
CVEID: CVE-2021-0114
Description: Unchecked return value in the firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.9 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N****
CVEID: CVE-2021-0115
Description: Buffer overflow in the firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.9 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N****
CVEID: CVE-2021-0116
Description: Out-of-bounds write in the firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.9 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N****
CVEID: CVE-2021-0117
Description: Pointer issues in the firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.9 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N****
CVEID: CVE-2021-0118
Description: Out-of-bounds read in the firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.9 High
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N****
CVEID: CVE-2021-0099
Description: Insufficient control flow management in the firmware for some Intel® Processors may allow an authenticated user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.8 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVEID: CVE-2021-0156
Description: Improper input validation in the firmware for some Intel® Processors may allow an authenticated user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.5 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H****
CVEID: CVE-2021-0111
Description: NULL pointer dereference in the firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 7.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N****
CVEID: CVE-2021-0107
Description: Unchecked return value in the firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.
CVSS Base Score: 7.2 High
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N****
CVEID: CVE-2021-0125
Description: Improper initialization in the firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via physical access.
CVSS Base Score: 6.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:L****
CVEID: CVE-2021-0124
Description: Improper access control in the firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via physical access.
CVSS Base Score: 6.3 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H****
CVEID: CVE-2021-0119
Description: Improper initialization in the firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via physical access.
CVSS Base Score: 5.8 Medium
CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L****
CVEID: CVE-2021-0092
Description: Improper access control in the firmware for some Intel® Processors may allow a privileged user to potentially enable a denial of service via local access.
CVSS Base Score: 4.7 Medium
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H****
CVEID: CVE-2021-0091
Description: Improper access control in the firmware for some Intel® Processors may allow an unauthenticated user to potentially enable an escalation of privilege via local access.
CVSS Base Score: 3.2 Low
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N****
CVEID: CVE-2021-0093
Description: Incorrect default permissions in the firmware for some Intel® Processors may allow a privileged user to potentially enable a denial of service via local access.
CVSS Base Score: 2.4 Low
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L****
Affected Products:
- 2nd Generation Intel® Xeon® Scalable Processor Family
- Intel® Xeon® Scalable Processor Family
- Intel® Xeon® Processor W Family
- Intel® Xeon® Processor E v3 and v5 Family
- Intel® Xeon® Processor D Family
- 11th Generation Intel® Core™ Processor Family
- 10th Generation Intel® Core™ Processor Family
- 9th Generation Intel® Core™ Processor Family
- 8th Generation Intel® Core™ Processor Family
- 7th Generation Intel® Core™ Processor Family
- 6th Generation Intel® Core™ processor Family
- Intel® Core™ X-series Processor Family
- Intel® Atom® Processor C3XXX Family.
Recommendations:
Intel recommends that users of listed Intel® Processors update to the latest versions provided by the system manufacturer that addresses these issues.
Acknowledgements:
Intel would like to thank Hugo Magalhaes from Oracle for reporting CVE-2021-0107, CVE-2021-0111, CVE-2021-0114, CVE-2021-0115, CVE-2021-0116, CVE-2021-0117, CVE-2021-0118, and CVE-2021-0144.
Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.
Related
